Security News > 2022 > February > Microsoft Exchange Bugs Exploited by ‘Cuba’ Ransomware Gang
The ransomware gang known as "Cuba" is increasingly shifting to exploiting Microsoft Exchange vulnerabilities - including ProxyShell and ProxyLogon - as initial infection vectors, researchers have found.
At the time, the FBI noted that the Cuba ransomware is distributed using a first-stage implant that acts as a loader for follow-on payloads: the Hancitor malware, which has been around for at least five years.
This isn't the first time that Cuba has shown a taste for Exchange vulnerabilities, either.
The researchers noted that when COLDDRAW was deployed, Cuba used what they called "a multi-faceted extortion model" - i.e., besides encrypting data, the gang leaked it on the group's shaming site, which is depicted below in all its cigar-chomping glory.
The majority - 80 percent - of organizations victimized by Cuba are based in North America, but Cuba loves the United States more than anywhere.
With regards to the victims listed on its shaming site - which the gang has had up since only early 2021 - Cuba provides a victim list for free, but it also keeps a separate list that you have to pay to see.
News URL
https://threatpost.com/microsoft-exchange-exploited-cuba-ransomware/178665/
Related news
- Microsoft: Exchange 2016 and 2019 reach end of support in October (source)
- Ransomware attackers are “vishing” organizations via Microsoft Teams (source)
- Ransomware gangs pose as IT support in Microsoft Teams phishing attacks (source)
- Microsoft: Outdated Exchange servers fail to auto-mitigate security bugs (source)
- Microsoft's End of Support for Exchange 2016 and 2019: What IT Teams Must Do Now (source)