Microsoft Exchange servers hacked to deploy Cuba ransomware


Operation Cuba ransomware exploits vulnerabilities in Microsoft Exchange to gain initial access to corporate networks and encrypt devices.

Cybersecurity firm Mandiant tracks the ransomware gang as UNC2596 and the ransomware itself as COLDDRAW. However, the ransomware is more commonly known as Cuba, which is how BleepingComputer will refer to them throughout this article.

Cuba is a ransomware operation that was launched in late 2019, and although it started slowly, it began to pick up speed in 2020 and 2021. This increase in activity led the FBI to issue a ransomware advisory Cuba in December 2021, warning that the gang violated 49 critical infrastructure organizations in the United States

In a new report by Mandiant, researchers show that the Cuban operation primarily targets the United States, followed by Canada.

Cuba ransomware victims heat map
Cuba ransomware victims heat map
Source: Mandiant

Mix of basic and custom malware

The Cuba ransomware gang has been seen exploiting vulnerabilities in Microsoft Exchange to deploy web shells, RATs and backdoors to gain a foothold on the target network since August 2021.

“Mandiant has also identified exploitation of vulnerabilities in Microsoft Exchange, including ProxyShell and Proxy connectionas another access point operated by UNC2596 probably as early as August 2021,” Mandiant explains in a new report.

Backdoors planted include Cobalt Strike or the NetSupport Manager remote access tool, but the group also uses its own ‘Bugatch’, ‘Wedgecut’, and ‘eck.exe’ tools, and Burntcigar.

Corner cut comes in the form of an executable named “check.exe”, which is a reconnaissance tool that enumerates Active Directory via PowerShell.

Bugatch is a downloader that fetches PowerShell scripts and files from the C&C server. To evade detection, it loads into memory from a remote URL.

Burnt cigar is a utility that can terminate kernel-level processes by exploiting a flaw in an Avast driver, which is included with the tool for a “bring your own vulnerable driver” attack.

Finally, there is a memory-only dropper that fetches the above payloads and loads them, called Termite. However, this tool has been observed in the campaigns of several threat groups, so it is not used exclusively by Cuban threat actors.

Threat actors escalate privileges using stolen account credentials from readily available Mimikatz and Wicker tools.

Then they do network reconnaissance with Wedgecut, then they move laterally with RDP, SMB, PsExec and Cobalt Strike.

The next deployment is Bugatch loaded by Termite, followed by Burntcigar, which sets the stage for data exfiltration and file encryption by disabling security tools.

The Cuban gang does not use any cloud service for the exfiltration stage, but sends everything over its own private infrastructure.

Cuba ransomware note to victims
Cuba ransomware note to victims
Source: Mandiant

A scalable operation

In May 2021, Cuba ransomware teamed up with spam operators of the Hancitor malware to gain access to corporate networks via DocuSign phishing emails.

Since then, Cuba has evolved its operations to target utility vulnerabilities, such as the Microsoft Exchange ProxyShell and ProxyLogon vulnerabilities.

This change makes attacks more powerful but also easier to thwart, as security updates that fix exploited issues have been available for many months now.

The Cuba operation will likely turn its attention to other vulnerabilities once there are no more valid targets running unpatched Microsoft Exchange servers.

This means that applying available security updates as soon as software vendors release them is essential to maintaining a strong security posture against even the most sophisticated threat actors.


Comments are closed.