Microsoft Exchange Exploited By ‘Cuba’

Uploaded on 2022-03-08 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

A ransomware gang known as Cuba is exploiting  Microsoft Exchange bugs, including  ProxyShell and ProxyLogon as the initial attack vectors. Cuba is a ransomware operation that launched at the end of 2019, and has accelerated quickly. 

The FBI says that Cuba has been responsible for  targeting at least 49 US entities in the financial, government, healthcare, manufacturing, and IT sectors. 

The FBI has reported that the Cuba ransomware is distributed via a first-stage implant and acts as a loader for additional payloads, such as the Hancitor malware that has been around for five years.  Cuba has explored Exchange vulnerabilities before and their attacks have included phishing emails, compromised credentials, or legitimate Remote Desktop Protocol tools. 

The group frequently targets vulnerabilities on public-facing Microsoft Exchange software, seeking to detect which networks are vulnerable to attack. Mandiant has reported that Cuba uses the COLDRAW ransomware and might be the only group to use the strain.

In order to identify active network hosts to potentially encrypt and files to exfiltrate, Cuba has used WEDGECUT, a reconnaissance tool, which sends PING requests to a list of hosts generated by a PowerShell script that enumerates the Active Directory. Then, they explore to find what files might be of interest, routinely use a script to map all drives to network shares, “which may assist in user file discovery,” Mandiant researchers noted.

Whilst Cuba has a history of exploiting Microsoft Exchange vulnerabilities, but they have other attack methods,  including  phishing emails and the exploitation of compromised credentials or legitimate Remote Desktop Protocol (RDP) tools.

According to the FBI, they will likely turn their attention to other vulnerabilities once there are no more valuable targets running unpatched Microsoft Exchange servers. This means that applying the available security updates as soon as the software vendors release them is key in maintaining a robust security against most sophisticated threat actors.

FBI:    Oodaloop:    Mandiant:     Threatpost:    Vumetric:     InfoSecToday:     Bleeping Computer:    ZDNet

You Might Also Read: 

Ransomware Is The Number One Threat:


 

« NATO Tests A Post-Quantum VPN
Making Sense Of The Edge »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Bishop Fox

Bishop Fox

Bishop Fox is a leading authority in offensive security, providing solutions ranging from continuous penetration testing and attack surface management to product and application security assessments.

RedTeam Security

RedTeam Security

RedTeam Security is a provider of Penetration Testing, Social Engineering, Red Teaming and Red Team Training services.

Ethio-CERT

Ethio-CERT

National Cyber Emergency Readiness and Response Team of Ethiopia.

Synack

Synack

Synack provides a hacker-powered intelligence platform that uncovers security vulnerabilities that often remain undetected by traditional pen testers and scanners.

Cyberlitica

Cyberlitica

Cyberlitica (formerly iPhish) provides a Workforce Threat Intelligence application that significantly augments companies’ cyber threat prevention efforts.

Chainalysis

Chainalysis

Chainalysis provides blockchain analysis software to prevent, detect and investigate cryptocurrency money laundering, fraud and compliance violations.

Oak Ridge National Laboratory (ORNL)

Oak Ridge National Laboratory (ORNL)

ORNL conducts basic and applied research and development in key areas of science for energy, advanced materials, supercomputing and national security including cybersecurity.

R3

R3

R3 is an enterprise blockchain software firm working with a broad ecosystem of more than 300 participants across multiple industries to develop blockchain applications.

GroupSense

GroupSense

GroupSense helps governments and enterprises take control of digital risk with cyber reconnaissance, counterintelligence and monitoring for breached credentials.

Syber Technology

Syber Technology

Syber Technology is an IT project implementer empowering IT systems of Small to Medium Enterprises in the Middle East.

SIRP Labs

SIRP Labs

SIRP is a Risk-based Security Orchestration, Automation and Response (SOAR) platform that fuses essential cybersecurity information to enable a unified cyber response.

BlackhawkNest

BlackhawkNest

Blackhawk is the only cyber security solution on the market that combines network monitoring and incident response into a cohesive appliance.

Assure IT

Assure IT

Assure IT is a Singapore company specialising in technology governance, risk and compliance.

Port443

Port443

Port443 specialises in providing Security Orchestration, Automation and Remediation (SOAR) "as a service".

Cynical Technology

Cynical Technology

Cynical Technology is a Nepalese cybersecurity company with expertise in security consulting, auditing, testing and compliance.

Operational Systems (OpSys)

Operational Systems (OpSys)

OpSys is a leading Managed IT and Cyber Security provider protecting the critical elements of businesses across the globe.