# Microsoft Exchange servers hacked to deploy Cuba ransomware **[bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-cuba-ransomware/](https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-cuba-ransomware/)** Bill Toulas By [Bill Toulas](https://www.bleepingcomputer.com/author/bill-toulas/) February 24, 2022 12:06 PM 1 The Cuba ransomware operation is exploiting Microsoft Exchange vulnerabilities to gain initial access to corporate networks and encrypt devices. Cybersecurity firm Mandiant tracks the ransomware gang as UNC2596 and the ransomware itself as COLDDRAW. However, the ransomware is more commonly known as Cuba, which is how BleepingComputer will reference them throughout this article. Cuba is a ransomware operation that launched at the end of 2019, and while they started slow, they began to pick up speed in 2020 and 2021. This increase in activity led to the FBI issuing a Cuba ransomware advisory in December 2021, warning that the gang breached 49 critical infrastructure organizations in the U.S. ----- In a new report by Mandiant, researchers show that the Cuba operation primarily targets the United States, followed by Canada. **Cuba ransomware victims heat map** _Source: Mandiant_ ## Mixing commodity and custom malware The Cuba ransomware gang was seen leveraging Microsoft Exchange vulnerabilities to deploy web shells, RATs, and backdoors to establish their foothold on the target network since August 2021. "Mandiant has also identified the exploitation of Microsoft Exchange vulnerabilities, [including ProxyShell and](https://www.mandiant.com/resources/pst-want-shell-proxyshell-exploiting-microsoft-exchange-servers) [ProxyLogon, as another access point leveraged by UNC2596](https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/) [likely as early as August 2021," explains Mandiant in a new report.](http://www.mandiant.com/resources/unc2596-cuba-ransomware) The planted backdoors include Cobalt Strike or the NetSupport Manager remote access tool, but the group also uses their own ‘Bughatch’, ‘Wedgecut’, and ‘eck.exe”, and Burntcigar’ tools. **Wedgecut comes in the form of an executable named “check.exe,” which is a** reconnaissance tool that enumerates the Active Directory through PowerShell. **Bughatch is a downloader that fetches PowerShell scripts and files from the C&C server.** To evade detection it loads in memory from a remote URL ----- **Burntcigar is a utility that can terminate processes at the kernel level by exploiting a flaw in** [an Avast driver, which is included with the tool for a “bring your own vulnerable driver”](https://www.bleepingcomputer.com/news/security/dell-driver-fix-still-allows-windows-kernel-level-attacks/) attack. Finally, there’s a memory-only dropper that fetches the above payloads and loads them, called Termite. However, this tool has been observed in campaigns of multiple threat groups, so it’s not used exclusively by the Cuba threat actors. The threat actors escalate privileges using stolen account credentials sourced through the readily available Mimikatz and Wicker tools. Then they perform network reconnaissance with Wedgecut, and next, they move laterally with RDP, SMB, PsExec, and Cobalt Strike. The subsequent deployment is Bughatch loaded by Termite, followed by Burntcigar, which lays the ground for data exfiltration and file encryption by deactivating security tools. The Cuba gang doesn’t use any cloud services for the exfiltration step but instead sends everything onto their own private infrastructure. **Cuba ransomware note to victims** _Source: Mandiant_ ## An evolving operation [Back in May 2021, Cuba ransomware partnered with the spam operators of the Hancitor](https://www.bleepingcomputer.com/news/security/cuba-ransomware-partners-with-hancitor-for-spam-fueled-attacks/) malware to gain access to corporate networks through DocuSign phishing emails. Since then, Cuba has evolved its operations to target public-facing services vulnerabilities, [such as the Microsoft Exchange ProxyShell and](https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-servers-are-getting-hacked-via-proxyshell-exploits/) [ProxyLogon vulnerabilities.](https://www.bleepingcomputer.com/news/security/microsoft-fixes-actively-exploited-exchange-zero-day-bugs-patch-now/) This shift makes the attacks more potent but also easier to thwart, as security updates that plug the exploited issues have been available for many months now. ----- The Cuba operation will likely turn its attention to other vulnerabilities once there are no more valuable targets running unpatched Microsoft Exchange servers. This means that applying the available security updates as soon as the software vendors release them is key in maintaining a robust security stance against even the most sophisticated threat actors. ### Related Articles: [The Week in Ransomware - May 20th 2022 - Another one bites the dust](https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-may-20th-2022-another-one-bites-the-dust/) [The Week in Ransomware - May 6th 2022 - An evolving landscape](https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-may-6th-2022-an-evolving-landscape/) [Magniber ransomware gang now exploits Internet Explorer flaws in attacks](https://www.bleepingcomputer.com/news/security/magniber-ransomware-gang-now-exploits-internet-explorer-flaws-in-attacks/) [Microsoft Exchange servers hacked to deploy Hive ransomware](https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/) [Microsoft Exchange targeted for IcedID reply-chain hijacking attacks](https://www.bleepingcomputer.com/news/security/microsoft-exchange-targeted-for-icedid-reply-chain-hijacking-attacks/) [Cuba Ransomware](https://www.bleepingcomputer.com/tag/cuba-ransomware/) [Microsoft Exchange](https://www.bleepingcomputer.com/tag/microsoft-exchange/) [ProxyLogon](https://www.bleepingcomputer.com/tag/proxylogon/) [ProxyShell](https://www.bleepingcomputer.com/tag/proxyshell/) [Ransomware](https://www.bleepingcomputer.com/tag/ransomware/) [Vulnerability](https://www.bleepingcomputer.com/tag/vulnerability/) [Bill Toulas](https://www.bleepingcomputer.com/author/bill-toulas/) Bill Toulas is a technology writer and infosec news reporter with over a decade of experience working on various online publications. An open source advocate and Linux enthusiast, is currently finding pleasure in following hacks, malware campaigns, and data breach incidents, as well as by exploring the intricate ways through which tech is swiftly transforming our lives. [Previous Article](https://www.bleepingcomputer.com/news/security/us-defense-contractors-hit-by-stealthy-sockdetour-windows-backdoor/) [Next Article](https://www.bleepingcomputer.com/news/security/us-and-uk-expose-new-malware-used-by-muddywater-hackers/) ### Comments ----- [Codestradamus - 3 months ago](https://www.bleepingcomputer.com/forums/u/1240093/codestradamus/) Terrible decision to refer to this as Cuba, reads terribly in areas of the article. Otherwise the content is well put together. Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ### You may also like: -----