Microsoft Exchange Exploited By ‘Cuba’

A ransomware gang known as Cuba is exploiting  Microsoft Exchange bugs, including  ProxyShell and ProxyLogon as the initial attack vectors. Cuba is a ransomware operation that launched at the end of 2019, and has accelerated quickly. 

The FBI says that Cuba has been responsible for  targeting at least 49 US entities in the financial, government, healthcare, manufacturing, and IT sectors. 

The FBI has reported that the Cuba ransomware is distributed via a first-stage implant and acts as a loader for additional payloads, such as the Hancitor malware that has been around for five years.  Cuba has explored Exchange vulnerabilities before and their attacks have included phishing emails, compromised credentials, or legitimate Remote Desktop Protocol tools. 

The group frequently targets vulnerabilities on public-facing Microsoft Exchange software, seeking to detect which networks are vulnerable to attack. Mandiant has reported that Cuba uses the COLDRAW ransomware and might be the only group to use the strain.

In order to identify active network hosts to potentially encrypt and files to exfiltrate, Cuba has used WEDGECUT, a reconnaissance tool, which sends PING requests to a list of hosts generated by a PowerShell script that enumerates the Active Directory. Then, they explore to find what files might be of interest, routinely use a script to map all drives to network shares, “which may assist in user file discovery,” Mandiant researchers noted.

Whilst Cuba has a history of exploiting Microsoft Exchange vulnerabilities, but they have other attack methods,  including  phishing emails and the exploitation of compromised credentials or legitimate Remote Desktop Protocol (RDP) tools.

According to the FBI, they will likely turn their attention to other vulnerabilities once there are no more valuable targets running unpatched Microsoft Exchange servers. This means that applying the available security updates as soon as the software vendors release them is key in maintaining a robust security against most sophisticated threat actors.

FBI:    Oodaloop:    Mandiant:     Threatpost:    Vumetric:     InfoSecToday:     Bleeping Computer:    ZDNet

You Might Also Read: 

Ransomware Is The Number One Threat:


 

« NATO Tests A Post-Quantum VPN
Making Sense Of The Edge »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Willis Towers Watson

Willis Towers Watson

Willis Towers Watson is a global risk management, insurance brokerage and advisory company. Services offered include Cyber Risks insurance.

Qolcom

Qolcom

Qolcom is a leading UK based integrator of secure wireless network and mobile device management solutions.

NNIT

NNIT

NNIT​ is one of Denmark’s leading consultancies in IT development, implementation and operations, including cyber security.

TechDefence Labs

TechDefence Labs

TechDefence Labs provide pentesting and security assessment services for networks, web apps, mobile apps and source code reviews.

Inky Technology Corp

Inky Technology Corp

Inky® Phish Fence is an email protection gateway that uses sophisticated AI, machine learning and computer vision algorithms to block deep sea phishing attacks that get through every other system.

ISEC7 Group

ISEC7 Group

ISEC7 Group is a global provider of mobile business services and software solutions. The company was one of the first movers in mobilising company and business processes.

Socure

Socure

Socure’s identity verification increases auto approval rates, reduces false positives and captures more fraud. In real time.

WhiteHawk

WhiteHawk

WhiteHawk is the first online Cyber Security Exchange. We help you understand your cyber risk and match you to tailored and affordable solutions.

Safetech Innovations

Safetech Innovations

Safetech Innovations is a team of cyber security experts, always at your service. We use human and cyber intelligence to help your business in uncertain times.

Redsquid

Redsquid

At Redsquid we are all about making a difference to our customers with the use of technology, as an innovative provider of solutions within IoT, Cyber security, ICT, Data Connectivity & Voice.

Pakistan Telecommunication Company Limited (PTCL)

Pakistan Telecommunication Company Limited (PTCL)

Pakistan Telecommunication Company Limited (PTCL) is the largest integrated Information Communication Technology (ICT) company of Pakistan.

Zaviant Consulting

Zaviant Consulting

Zaviant Consulting is a leading data security and privacy consulting firm assisting organizations comply with constantly evolving security frameworks and privacy regulations.

TPx Communications

TPx Communications

TPx is a leading managed services provider offering a full suite of managed IT, unified communications, network connectivity and security services.

LegalByte

LegalByte

LegalByte is a leading provider of comprehensive legal and forensic services dedicated to addressing the complex challenges of the digital age.

Simbian

Simbian

Simbian, with its hardened TrustedLLM system, is the first to accelerate security by empowering every member of a security team from the C-Suite to frontline practitioners.

CyberCure

CyberCure

CyberCure provide specialised roles and services to manage your organisations cybersecurity requirements and professional advisory services in governance, risk and compliance.