Microsoft Exchange Bugs Exploited by ‘Cuba’ Ransomware Gang

The ransomware gang known as Cuba is increasingly shifting to exploiting Exchange bugs – including crooks’ favorites, ProxyShell and ProxyLogon – as initial infection vectors.

The ransomware gang known as “Cuba” is increasingly shifting to exploiting Microsoft Exchange vulnerabilities – including ProxyShell and ProxyLogon – as initial infection vectors, researchers have found.

The group has likely been prying open these chinks in victims’ armor as early as last August, Mandiant reported on Wednesday.

Mandiant, which tracks the threat actor as UNC2596, noted that the group deploys the COLDDRAW ransomware. In fact, Cuba may be the only group that uses COLDDRAW: At least, it’s the only threat actor using it among those tracked by Mandiant, “which may suggest it’s exclusively used by the group,” researchers said.

Cuba Has Rated an FBI Warning

In a December flash alert, the FBI attributed a spate of attacks – on at least 49 U.S. entities in the financial, government, healthcare, manufacturing and information-technology sectors – to the group. For what it’s worth, Mandiant hasn’t seen Cuba attacking hospitals or other entities that provide urgent care.

At the time, the FBI noted that the Cuba ransomware is distributed using a first-stage implant

Read More: https://threatpost.com/microsoft-exchange-exploited-cuba-ransomware/178665/