Security News > 2022 > February > Microsoft Exchange servers hacked to deploy Cuba ransomware
The Cuba ransomware operation is exploiting Microsoft Exchange vulnerabilities to gain initial access to corporate networks and encrypt devices.
Cybersecurity firm Mandiant tracks the ransomware gang as UNC2596 and the ransomware itself as COLDDRAW. However, the ransomware is more commonly known as Cuba, which is how BleepingComputer will reference them throughout this article.
This increase in activity led to the FBI issuing a Cuba ransomware advisory in December 2021, warning that the gang breached 49 critical infrastructure organizations in the U.S. In a new report by Mandiant, researchers show that the Cuba operation primarily targets the United States, followed by Canada.
The Cuba ransomware gang was seen leveraging Microsoft Exchange vulnerabilities to deploy web shells, RATs, and backdoors to establish their foothold on the target network since August 2021.
Cuba has evolved its operations to target public-facing services vulnerabilities, such as the Microsoft Exchange ProxyShell and ProxyLogon vulnerabilities.
The Cuba operation will likely turn its attention to other vulnerabilities once there are no more valuable targets running unpatched Microsoft Exchange servers.
News URL
Related news
- Microsoft: Outdated Exchange servers fail to auto-mitigate security bugs (source)
- Microsoft 365 apps crash on Windows Server after Office update (source)
- Microsoft fixes Office 365 apps crashing on Windows Server systems (source)
- Microsoft fixes Windows Server 2022 bug breaking device boot (source)
- Microsoft: Exchange 2016 and 2019 reach end of support in October (source)
- Ransomware attackers are “vishing” organizations via Microsoft Teams (source)
- Ransomware gangs pose as IT support in Microsoft Teams phishing attacks (source)
- Microsoft issues out-of-band fix for Windows Server 2022 NUMA glitch (source)
- One of Salt Typhoon's favorite flaws still wide open on 91% of at-risk Exchange Servers (source)
- Hackers exploit Cityworks RCE bug to breach Microsoft IIS servers (source)