Microsoft Exchange Exploited By ‘Cuba’

A ransomware gang known as Cuba is exploiting  Microsoft Exchange bugs, including  ProxyShell and ProxyLogon as the initial attack vectors. Cuba is a ransomware operation that launched at the end of 2019, and has accelerated quickly. 

The FBI says that Cuba has been responsible for  targeting at least 49 US entities in the financial, government, healthcare, manufacturing, and IT sectors. 

The FBI has reported that the Cuba ransomware is distributed via a first-stage implant and acts as a loader for additional payloads, such as the Hancitor malware that has been around for five years.  Cuba has explored Exchange vulnerabilities before and their attacks have included phishing emails, compromised credentials, or legitimate Remote Desktop Protocol tools. 

The group frequently targets vulnerabilities on public-facing Microsoft Exchange software, seeking to detect which networks are vulnerable to attack. Mandiant has reported that Cuba uses the COLDRAW ransomware and might be the only group to use the strain.

In order to identify active network hosts to potentially encrypt and files to exfiltrate, Cuba has used WEDGECUT, a reconnaissance tool, which sends PING requests to a list of hosts generated by a PowerShell script that enumerates the Active Directory. Then, they explore to find what files might be of interest, routinely use a script to map all drives to network shares, “which may assist in user file discovery,” Mandiant researchers noted.

Whilst Cuba has a history of exploiting Microsoft Exchange vulnerabilities, but they have other attack methods,  including  phishing emails and the exploitation of compromised credentials or legitimate Remote Desktop Protocol (RDP) tools.

According to the FBI, they will likely turn their attention to other vulnerabilities once there are no more valuable targets running unpatched Microsoft Exchange servers. This means that applying the available security updates as soon as the software vendors release them is key in maintaining a robust security against most sophisticated threat actors.

FBI:    Oodaloop:    Mandiant:     Threatpost:    Vumetric:     InfoSecToday:     Bleeping Computer:    ZDNet

You Might Also Read: 

Ransomware Is The Number One Threat:


 

« NATO Tests A Post-Quantum VPN
Making Sense Of The Edge »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Fidelis Security

Fidelis Security

Fidelis Security is a leading provider of extended threat detection and response (XDR) solutions for your security operations.

National Cyber-Forensics & Training Alliance (NCFTA) - USA

National Cyber-Forensics & Training Alliance (NCFTA) - USA

NCFTA is a trusted alliance of private industry and law enforcement partners dedicated to information sharing and disrupting cyber-related threats.

Sikur

Sikur

Sikur have developed a communication platform that sets new boundaries for corporate privacy and security.

Greenetics Solutions

Greenetics Solutions

Greenetics Solutions is a company focused on providing solutions for information security.

Garland Technology

Garland Technology

Garland Technology specializes in network access points (TAPs) for 100% visibility allowing you to see every bit, byte, and packet flowing through your network.

Cofrac

Cofrac

Cofrac is the national accreditation body for France. The directory of members provides details of organisations offering certification services for ISO 27001.

Jacobs

Jacobs

Jacobs is at the forefront of the most important security issues today. We are inspired to be the best and deliver innovative, mission-focused outcomes that matter to our clients.

Stratejm

Stratejm

Stratejm, a Next Generation Managed Security Services Provider, brings innovation and thought leadership to the fight against cyber criminals.

Meterian

Meterian

The Meterian Platform is a fuss-free solution to protect you against vulnerabilities in your app’s software supply chain.

JFrog

JFrog

JFrog is on a mission to enable continuous updates through Liquid Software, empowering developers to code high-quality applications that securely flow to end-users with zero downtime.

Amvia

Amvia

Amvia is a fast-growing telecoms, Internet and Microsoft service provider. We supply voice, data and cyber security services to 100s of small and large companies.

Cybaverse

Cybaverse

Cybaverse (formerly North Star Cyber Security) was founded to create the perfect blend of a Managed Security Service Provider (MSSP) and a Cyber Security Consultancy in one.

Clarabot Nano

Clarabot Nano

Nano is the secure file sharing tool to improve content search, data access and collaboration between multiple parties.

WinMagic

WinMagic

At WinMagic, we’re dedicated to making authentication and encryption solutions that protect data without causing user friction so that everyone can work freely and securely.

Token

Token

Token is changing the way our customers secure their organizations by providing passwordless, biometric, multifactor authentication.

Index Engines

Index Engines

Index Engines is the world’s leading AI-powered analytics engine to detect data corruption due to ransomware.