Security News > 2022 > February > Microsoft Exchange Bugs Exploited by ‘Cuba’ Ransomware Gang

The ransomware gang known as "Cuba" is increasingly shifting to exploiting Microsoft Exchange vulnerabilities - including ProxyShell and ProxyLogon - as initial infection vectors, researchers have found.

At the time, the FBI noted that the Cuba ransomware is distributed using a first-stage implant that acts as a loader for follow-on payloads: the Hancitor malware, which has been around for at least five years.

This isn't the first time that Cuba has shown a taste for Exchange vulnerabilities, either.

The researchers noted that when COLDDRAW was deployed, Cuba used what they called "a multi-faceted extortion model" - i.e., besides encrypting data, the gang leaked it on the group's shaming site, which is depicted below in all its cigar-chomping glory.

The majority - 80 percent - of organizations victimized by Cuba are based in North America, but Cuba loves the United States more than anywhere.

With regards to the victims listed on its shaming site - which the gang has had up since only early 2021 - Cuba provides a victim list for free, but it also keeps a separate list that you have to pay to see.

News URL

https://threatpost.com/microsoft-exchange-exploited-cuba-ransomware/178665/