"Microsoft Exchange Bugs Exploited by ‘Cuba’ Ransomware Gang"

According to researchers at Mandiant, the ransomware gang known as Cuba is increasingly shifting to exploiting Microsoft Exchange vulnerabilities, including ProxyShell and ProxyLogon.  The group has been likely using these vulnerabilities as early as last August.  Mandiant, which tracks the threat actor as UNC2596, noted that the group deploys the COLDDRAW ransomware.  The researchers stated that Cuba might be the only group that uses COLDDRAW because it’s the only threat actor using it among those tracked by Mandiant.  In a December flash alert, the FBI attributed a spate of attacks on at least 49 U.S. entities in the financial, government, healthcare, manufacturing, and information technology sectors to the group.  In order to identify active network hosts to potentially encrypt and files to exfiltrate, Cuba has used WEDGECUT, a reconnaissance tool, which sends PING requests to a list of hosts generated by a PowerShell script that enumerates the Active Directory.  Then, the adversaries peek around to see what files might be of interest.  The researchers noted that Cuba also routinely uses a script to map all drives to network shares, “which may assist in user file discovery.”  The researchers stated that Cuba threat actors have used several methods for lateral movement, including RDP, SMB, and PsExec, frequently using BEACON to facilitate this movement.  The adversaries then deploy various backdoors, including NetSupport, as well as BEACON and BUGHATCH, which are often deployed using the TERMITE in-memory dropper.  To finish their extortion work, the gang tries to steal files and encrypt machines, threatening to publish exfiltrated data belonging to organizations that fail to pay the ransom.

Threatpost reports: "Microsoft Exchange Bugs Exploited by ‘Cuba’ Ransomware Gang"