Microsoft Exchange Exploited By ‘Cuba’

Uploaded on 2022-03-08 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

A ransomware gang known as Cuba is exploiting  Microsoft Exchange bugs, including  ProxyShell and ProxyLogon as the initial attack vectors. Cuba is a ransomware operation that launched at the end of 2019, and has accelerated quickly. 

The FBI says that Cuba has been responsible for  targeting at least 49 US entities in the financial, government, healthcare, manufacturing, and IT sectors. 

The FBI has reported that the Cuba ransomware is distributed via a first-stage implant and acts as a loader for additional payloads, such as the Hancitor malware that has been around for five years.  Cuba has explored Exchange vulnerabilities before and their attacks have included phishing emails, compromised credentials, or legitimate Remote Desktop Protocol tools. 

The group frequently targets vulnerabilities on public-facing Microsoft Exchange software, seeking to detect which networks are vulnerable to attack. Mandiant has reported that Cuba uses the COLDRAW ransomware and might be the only group to use the strain.

In order to identify active network hosts to potentially encrypt and files to exfiltrate, Cuba has used WEDGECUT, a reconnaissance tool, which sends PING requests to a list of hosts generated by a PowerShell script that enumerates the Active Directory. Then, they explore to find what files might be of interest, routinely use a script to map all drives to network shares, “which may assist in user file discovery,” Mandiant researchers noted.

Whilst Cuba has a history of exploiting Microsoft Exchange vulnerabilities, but they have other attack methods,  including  phishing emails and the exploitation of compromised credentials or legitimate Remote Desktop Protocol (RDP) tools.

According to the FBI, they will likely turn their attention to other vulnerabilities once there are no more valuable targets running unpatched Microsoft Exchange servers. This means that applying the available security updates as soon as the software vendors release them is key in maintaining a robust security against most sophisticated threat actors.

FBI:    Oodaloop:    Mandiant:     Threatpost:    Vumetric:     InfoSecToday:     Bleeping Computer:    ZDNet

You Might Also Read: 

Ransomware Is The Number One Threat:


 

« NATO Tests A Post-Quantum VPN
Making Sense Of The Edge »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Council of European Professional Informatics Societies (CEPIS)

Council of European Professional Informatics Societies (CEPIS)

CEPIS is the representative body of national informatics associations throughout Europe and represent over 450,000 ICT and informatics professionals in 32 countries.

TruSTAR Technology

TruSTAR Technology

TruSTAR is a threat intelligence exchange platform built to protect and incentivize information sharing.

AntemetA

AntemetA

AntemetA specializes in network infrastructure, security and cloud computing, helping companies transform their Information Systems.

MER Group

MER Group

MER Group is a world-leading integrator in the areas of communications and security. MER cyber solutions cover the entire range of cyber and intelligence related products and services.

CyberSec Hub - The Kosciuszko Institute

CyberSec Hub - The Kosciuszko Institute

The goal of CyberSec Hub is to create a centre of excellence for cybersecurity in Krakow, a new European “Cyber-Silicon Valley”.

ISA Security Compliance Institute (ISCI)

ISA Security Compliance Institute (ISCI)

ISCI, a not-for-profit automation controls industry consortium, manages the ISASecure™ conformance certification program for industrial automation and control systems.

Noventiq

Noventiq

Noventiq (the brandname of Softline Holding plc) is a leading global solutions and services provider in digital transformation and cybersecurity.

Penten

Penten

Penten is an Australian-based cyber security company focused on innovation in secure mobility and applied AI (artificial intelligence).

Soliton

Soliton

Soliton is a leading Japanese technology company and a pioneer in IT security solutions for protecting company resources and data from external IT security threats.

Ministry of Information and Communications (MIC) - Vietnam

Ministry of Information and Communications (MIC) - Vietnam

The Ministry of Information & Communications of Vietnam is the policy making and regulatory body in the field of information technology and national information and and communication infrastructure.

LaScala

LaScala

LaScala is an IT Managed Services provider delivering technical, security, and compliance solutions with dedication, compassion, and agility.

Nightwing

Nightwing

Nightwing is the intelligence services company that continually redefines the edge of the possible to keep advancing our national security interests.

Revytech

Revytech

Revytech is a tech company providing services in a broad range of areas including IT operations, cyber security and network engineering.

True North Solutions

True North Solutions

True North Solutions provides a wide range of fully customized, vendor-neutral industrial engineering and OT automation solutions to companies across North America and around the world.

Quantum Bridge

Quantum Bridge

Our unbreakable key distribution technology ensures the highest level of protection for your critical infrastructure and sensitive data in an evolving digital landscape.

DefectDojo

DefectDojo

DefectDojo is a DevSecOps and vulnerability management tool.