Security News > 2022 > February > Microsoft Exchange servers hacked to deploy Cuba ransomware
The Cuba ransomware operation is exploiting Microsoft Exchange vulnerabilities to gain initial access to corporate networks and encrypt devices.
Cybersecurity firm Mandiant tracks the ransomware gang as UNC2596 and the ransomware itself as COLDDRAW. However, the ransomware is more commonly known as Cuba, which is how BleepingComputer will reference them throughout this article.
This increase in activity led to the FBI issuing a Cuba ransomware advisory in December 2021, warning that the gang breached 49 critical infrastructure organizations in the U.S. In a new report by Mandiant, researchers show that the Cuba operation primarily targets the United States, followed by Canada.
The Cuba ransomware gang was seen leveraging Microsoft Exchange vulnerabilities to deploy web shells, RATs, and backdoors to establish their foothold on the target network since August 2021.
Cuba has evolved its operations to target public-facing services vulnerabilities, such as the Microsoft Exchange ProxyShell and ProxyLogon vulnerabilities.
The Cuba operation will likely turn its attention to other vulnerabilities once there are no more valuable targets running unpatched Microsoft Exchange servers.
News URL
Related news
- Ransomware attackers hop from on-premises systems to cloud to compromise Microsoft 365 accounts (source)
- Microsoft fixes Remote Desktop issues caused by Windows Server update (source)
- Microsoft deprecates PPTP and L2TP VPN protocols in Windows Server (source)
- Microsoft says more ransomware stopped before reaching encryption (source)
- Microsoft: Ransomware Attacks Growing More Dangerous, Complex (source)
- Black Basta ransomware poses as IT support on Microsoft Teams to breach networks (source)
- Ransomware hits web hosting servers via vulnerable CyberPanel instances (source)
- Meet Interlock — The new ransomware targeting FreeBSD servers (source)
- Microsoft confirms Windows Server 2025 blue screen, install issues (source)
- Microsoft blames Windows Server 2025 automatic upgrades on 3rd-party tools (source)