Security News > 2022 > February > Microsoft Exchange Bugs Exploited by ‘Cuba’ Ransomware Gang
The ransomware gang known as "Cuba" is increasingly shifting to exploiting Microsoft Exchange vulnerabilities - including ProxyShell and ProxyLogon - as initial infection vectors, researchers have found.
At the time, the FBI noted that the Cuba ransomware is distributed using a first-stage implant that acts as a loader for follow-on payloads: the Hancitor malware, which has been around for at least five years.
This isn't the first time that Cuba has shown a taste for Exchange vulnerabilities, either.
The researchers noted that when COLDDRAW was deployed, Cuba used what they called "a multi-faceted extortion model" - i.e., besides encrypting data, the gang leaked it on the group's shaming site, which is depicted below in all its cigar-chomping glory.
The majority - 80 percent - of organizations victimized by Cuba are based in North America, but Cuba loves the United States more than anywhere.
With regards to the victims listed on its shaming site - which the gang has had up since only early 2021 - Cuba provides a victim list for free, but it also keeps a separate list that you have to pay to see.
News URL
https://threatpost.com/microsoft-exchange-exploited-cuba-ransomware/178665/
Related news
- Microsoft Identifies Storm-0501 as Major Threat in Hybrid Cloud Ransomware Attacks (source)
- Ransomware gang using stolen Microsoft Entra ID creds to bust into the cloud (source)
- Ransomware attackers hop from on-premises systems to cloud to compromise Microsoft 365 accounts (source)
- Microsoft says more ransomware stopped before reaching encryption (source)
- Microsoft: Ransomware Attacks Growing More Dangerous, Complex (source)
- Black Basta ransomware poses as IT support on Microsoft Teams to breach networks (source)
- Microsoft Exchange adds warning to emails abusing spoofing flaw (source)
- Microsoft pulls Exchange security updates over mail delivery issues (source)