Security News > 2022 > February > Microsoft Exchange servers hacked to deploy Cuba ransomware
The Cuba ransomware operation is exploiting Microsoft Exchange vulnerabilities to gain initial access to corporate networks and encrypt devices.
Cybersecurity firm Mandiant tracks the ransomware gang as UNC2596 and the ransomware itself as COLDDRAW. However, the ransomware is more commonly known as Cuba, which is how BleepingComputer will reference them throughout this article.
This increase in activity led to the FBI issuing a Cuba ransomware advisory in December 2021, warning that the gang breached 49 critical infrastructure organizations in the U.S. In a new report by Mandiant, researchers show that the Cuba operation primarily targets the United States, followed by Canada.
The Cuba ransomware gang was seen leveraging Microsoft Exchange vulnerabilities to deploy web shells, RATs, and backdoors to establish their foothold on the target network since August 2021.
Cuba has evolved its operations to target public-facing services vulnerabilities, such as the Microsoft Exchange ProxyShell and ProxyLogon vulnerabilities.
The Cuba operation will likely turn its attention to other vulnerabilities once there are no more valuable targets running unpatched Microsoft Exchange servers.
News URL
Related news
- Microsoft: Exchange 2016 reaches extended end of support in October (source)
- FBI disrupts the Dispossessor ransomware operation, seizes servers (source)
- FBI Shuts Down Dispossessor Ransomware Group's Servers Across U.S., U.K., and Germany (source)
- Windows Server August updates fix Microsoft 365 Defender issue (source)
- Microsoft: August updates cause Windows Server boot issues, freezes (source)
- Microsoft: Exchange Online mistakenly tags emails as malware (source)
- Linux version of new Cicada ransomware targets VMware ESXi servers (source)
- VMware ESXi Servers Targeted by New Ransomware Variant from Cicada3301 Group (source)
- Microsoft fixes Windows Server performance issues from August updates (source)
- Ransomware gangs now abuse Microsoft Azure tool for data theft (source)