Microsoft Exchange Exploited By ‘Cuba’

Uploaded on 2022-03-08 in TECHNOLOGY--Hackers, NEWS-News Analysis, FREE TO VIEW

A ransomware gang known as Cuba is exploiting  Microsoft Exchange bugs, including  ProxyShell and ProxyLogon as the initial attack vectors. Cuba is a ransomware operation that launched at the end of 2019, and has accelerated quickly. 

The FBI says that Cuba has been responsible for  targeting at least 49 US entities in the financial, government, healthcare, manufacturing, and IT sectors. 

The FBI has reported that the Cuba ransomware is distributed via a first-stage implant and acts as a loader for additional payloads, such as the Hancitor malware that has been around for five years.  Cuba has explored Exchange vulnerabilities before and their attacks have included phishing emails, compromised credentials, or legitimate Remote Desktop Protocol tools. 

The group frequently targets vulnerabilities on public-facing Microsoft Exchange software, seeking to detect which networks are vulnerable to attack. Mandiant has reported that Cuba uses the COLDRAW ransomware and might be the only group to use the strain.

In order to identify active network hosts to potentially encrypt and files to exfiltrate, Cuba has used WEDGECUT, a reconnaissance tool, which sends PING requests to a list of hosts generated by a PowerShell script that enumerates the Active Directory. Then, they explore to find what files might be of interest, routinely use a script to map all drives to network shares, “which may assist in user file discovery,” Mandiant researchers noted.

Whilst Cuba has a history of exploiting Microsoft Exchange vulnerabilities, but they have other attack methods,  including  phishing emails and the exploitation of compromised credentials or legitimate Remote Desktop Protocol (RDP) tools.

According to the FBI, they will likely turn their attention to other vulnerabilities once there are no more valuable targets running unpatched Microsoft Exchange servers. This means that applying the available security updates as soon as the software vendors release them is key in maintaining a robust security against most sophisticated threat actors.

FBI:    Oodaloop:    Mandiant:     Threatpost:    Vumetric:     InfoSecToday:     Bleeping Computer:    ZDNet

You Might Also Read: 

Ransomware Is The Number One Threat:


 

« NATO Tests A Post-Quantum VPN
Making Sense Of The Edge »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

See how to use next-generation firewalls (NGFWs) and how they boost your security posture.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Tripwire

Tripwire

Tripwire are a leading provider of risk-based security, compliance and vulnerability management solutions.

OneLogin

OneLogin

OneLogin simplifies identity management with secure, one-click access,for employees, customers and partners, through all device types, to all enterprise cloud and on-premise applications.

Ceerus

Ceerus

Ceerus was created to simplify the process of deploying and managing security across all the channels in an organisation.

SecuLution

SecuLution

SecuLution is an Antivirus product using Application Whitelisting which offers much more protection than Virus Scanners ever can.

DANAK

DANAK

DANAK is the national accreditation body for Denmark. The directory of members provides details of organisations offering certification services for ISO 27001.

Right-Hand Cybersecurity

Right-Hand Cybersecurity

Right-Hand Cybersecurity empowers businesses to monitor, measure and mitigate employee induced cyber risks in real-time.

Zercurity

Zercurity

Zercurity is on a mission to build the ultimate cybersecurity operations platform for businesses. To help protect against a growing number of internal and external threats.

JupiterOne

JupiterOne

JupiterOne is the security product that is changing how organizations manage and secure their software defined assets.

ByteSnipers

ByteSnipers

ByteSnipers specialize in penetration testings and secure development services. Our focus is on your security.

Citadel Cyber Security

Citadel Cyber Security

Citadel is a leading 'One Stop Shop' provider of consulting services in cyber and information security. Our experts operate in hundreds of business organizations in Israel and around the world.

UncommonX

UncommonX

UncommonX offers enterprise-class cybersecurity protection for mid-size organizations by combining adaptive threat and intelligence software with 24/7 industry experts.

Teleport

Teleport

Teleport is a remote-first technology company. We enable engineers to quickly access any computing resource anywhere on the planet.

Toka Group

Toka Group

Toka empowers government agencies with critical and previously out-of-reach digital forensics, force protection and Intelligence capabilities, tackling the fields' most pressing challenges.

Tracebit

Tracebit

Tracebit uses decoys to detect and respond to cloud intrusions in minutes.

DuckDuckGoose

DuckDuckGoose

DuckDuckGoose offer advanced solutions to protect against manipulated videos, images, voices and texts.

AI or Not

AI or Not

AI or Not - Leverage AI to combat misinformation and elevate the landscape of compliance solutions.