Microsoft Exchange Exploited By ‘Cuba’
A ransomware gang known as Cuba is exploiting Microsoft Exchange bugs, including ProxyShell and ProxyLogon as the initial attack vectors. Cuba is a ransomware operation that launched at the end of 2019, and has accelerated quickly.
The FBI says that Cuba has been responsible for targeting at least 49 US entities in the financial, government, healthcare, manufacturing, and IT sectors.
The FBI has reported that the Cuba ransomware is distributed via a first-stage implant and acts as a loader for additional payloads, such as the Hancitor malware that has been around for five years. Cuba has explored Exchange vulnerabilities before and their attacks have included phishing emails, compromised credentials, or legitimate Remote Desktop Protocol tools.
The group frequently targets vulnerabilities on public-facing Microsoft Exchange software, seeking to detect which networks are vulnerable to attack. Mandiant has reported that Cuba uses the COLDRAW ransomware and might be the only group to use the strain.
In order to identify active network hosts to potentially encrypt and files to exfiltrate, Cuba has used WEDGECUT, a reconnaissance tool, which sends PING requests to a list of hosts generated by a PowerShell script that enumerates the Active Directory. Then, they explore to find what files might be of interest, routinely use a script to map all drives to network shares, “which may assist in user file discovery,” Mandiant researchers noted.
Whilst Cuba has a history of exploiting Microsoft Exchange vulnerabilities, but they have other attack methods, including phishing emails and the exploitation of compromised credentials or legitimate Remote Desktop Protocol (RDP) tools.
According to the FBI, they will likely turn their attention to other vulnerabilities once there are no more valuable targets running unpatched Microsoft Exchange servers. This means that applying the available security updates as soon as the software vendors release them is key in maintaining a robust security against most sophisticated threat actors.
FBI: Oodaloop: Mandiant: Threatpost: Vumetric: InfoSecToday: Bleeping Computer: ZDNet:
You Might Also Read:
Ransomware Is The Number One Threat: