Cuba Ransomware

Cuba Ransomware Group Hacked FRONTEO

In yesterday’s post, I didn’t have info yet on the ransomware group that hacked FRONTEO. But I can now report that it was the Cuba ransomware group that reportedly hacked FRONTEO’s site.

Apparently, when they hacked FRONTEO’s site on May 11th, they displayed a message on the site claiming responsibility for the attack. They also noted the “date the files were received” (11 May 2022), the website hacked (https:/legal.fronteousa.com) and the “files” captured – “Financial documents, correspondence with bank employees, account movements, balance sheets, tax documents, compensation, source code.”

Here is a screen shot of what was supposedly displayed on the FRONTEO site (courtesy of this tweet from DailyDarkWeb), as you can see, it has a “Download” button, which implies the data could be downloaded but might simply be a subterfuge for stealing a password (see below).

FRONTEO has since reclaimed their site and removed the message.

Despite the name, Cuba Ransomware is allegedly associated with Russia, as Russian language is often found in their malware code, and they often use Russian language on the Dark Web data leak sites when they are selling data they have stolen.

This article from SOCRadar profiles the Cuba Ransomware group, including a couple of their notable victims. The article discusses that “Cuba Ransomware has partnered with Hancitor downloader. Many cybersecurity firms have discovered recent Hancitor campaigns dropping Cobalt Strike beacons on compromised computers.”

I also found additional links about the Cuba Ransomware group including this one from Threatpost regarding their exploitation of Microsoft Exchange bugs and this one from ZDNet indicating that they “attacked ‘49 entities in five critical infrastructure sectors’ and made at least $43.9 million in ransom payments.”

This group doesn’t mess around!

I discussed the Fronteo ransomware attack with the Project Counsel Media team, including Eric De Grasse, who is Chief Technology Officer of The Project Counsel Group, with 30+ years of experience in cybersecurity, digital/mobile media technology, software development and legal technology.

De Grasse confirmed the approach of the Cuba Ransomware group, stating: “The Cuba M.O. is to install password-stealers, like Pony, Ficker, or their Cobalt Strike and is usually distributed through malicious spam campaigns pretending to be DocuSign invoices. That is where they excel. As our Group has noted before, document signing services are an easy cyber attack route.”

De Grasse even provided a screen shot example of a previous attack using Docusign:

Regarding the attack itself, De Grasse said: “Given the Fronteo U.S. website looks fairly *normal* I surmise the Cuba ransom logo on the home page was removed the old fashioned way: by disconnecting everything from the internet, removing all connections, both virtual and physical. Then manually reload websites/software but with cyber protection filters.

And all computers/devices would have been returned to factory settings – complete wipe out. Based on previous Cuban ransomware attacks, I must assume the attackers blocked the operating systems so that would have been the only way to get back up and running.

What we do not know is how Fronteo’s data was encrypted or if Fronteo has simply paid by now – quite common for Japanese firms.”

Regarding how this impacts the industry in general, De Grasse didn’t mince words: “I do chuckle when I see all of widespread legal industry breaches (legal vendors and law firms) because vendors and lawyers have a duty to protect privileged client information and advertise themselves as experts in cybersecurity: advising clients on how to prevent and limit data breaches. The cybersecurity ignorance I saw and heard at Legaltech this year was off the chart. Pathetic. Legaltech has absolutely zero business in the cybersecurity market, talking about the cybersecurity market.

We run a pen test company. We are paid to attack law firms and legaltech vendors, all off-the-record. It never ceases to amaze me the incompetence and simple ignorance of lawyers and legaltech ‘techies’ about the need for strong passwords, encryption, multifactor authentication, phishing scams, etc. Or the risks of using file sharing sites, and the simple moves to protect devices against malware.

And the danger of using public computers and Wi-Fi or even VPNs. At Legaltech our team accessed multiple networks with ease … granted, we have pretty sophisticated software, the kind a black hat would use…which we brought to the attention of our victims.

And now, with remote document review, with the use of cloud-centered workflow, review center security needs to be the foremost concern. Any analysis of a remote review workforce/structure needs to take that into the special security concerns. But stringent security protocols are not in place on so many doc reviews. Vendors just want to cut costs. It seems paying beer money to contract reviewers is not enough cost cutting for them. So they save even more by skimping on security.

The best review centres I have attacked (meaning the most difficult to breach) use company assets, not personal computers improperly provisioned. There is data encryption in transit and at rest. The use of secure FTP with AES 256-bit encryption. The inability to screen scrape, download, print, or use externally attached devices (a massive data breach problem as demonstrated in the opioid litigation reviews). Multifactor authentication protocols such as FIDO (Fast ID Online).

In a way, no surprise. Legal vendors/legal staffing agencies are just too far down the food chain: a service industry to another service industry (mostly law firms) who are themselves a service industry to the end user who cuts the check: corporations. Too many bites of the apple along the way, too tight margins all along the food chain. So proper security expenditures? Nope.”

Wow.

While those comments are a general commentary about the industry, it will be interesting to see what else FRONTEO eventually discloses about the breach, if anything. It’s certainly a reminder of just how important security is and how vulnerable so many companies are, including eDiscovery companies.

So, what do you think?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

2 comments

  1. Great info and article, with no holds barred…I like that! Thanks, Doug.

    Aaron Taylor

Leave a Reply