Microsoft Exchange servers hacked to deploy Cuba ransomware


Level 37
Thread author
Top poster
Feb 4, 2016
The Cuba ransomware operation is exploiting Microsoft Exchange vulnerabilities to gain initial access to corporate networks and encrypt devices.

Cybersecurity firm Mandiant tracks the ransomware gang as UNC2596 and the ransomware itself as COLDDRAW. However, the ransomware is more commonly known as Cuba, which is how BleepingComputer will reference them throughout this article.

Cuba is a ransomware operation that launched at the end of 2019, and while they started slow, they began to pick up speed in 2020 and 2021. This increase in activity led to the FBI issuing a Cuba ransomware advisory in December 2021, warning that the gang breached 49 critical infrastructure organizations in the U.S.

In a new report by Mandiant, researchers show that the Cuba operation primarily targets the United States, followed by Canada.

Mixing commodity and custom malware​

The Cuba ransomware gang was seen leveraging Microsoft Exchange vulnerabilities to deploy web shells, RATs, and backdoors to establish their foothold on the target network since August 2021.
"Mandiant has also identified the exploitation of Microsoft Exchange vulnerabilities, including ProxyShell and ProxyLogon, as another access point leveraged by UNC2596 likely as early as August 2021," explains Mandiant in a new report.

The planted backdoors include Cobalt Strike or the NetSupport Manager remote access tool, but the group also uses their own ‘Bughatch’, ‘Wedgecut’, and ‘eck.exe”, and Burntcigar’ tools.
Wedgecut comes in the form of an executable named “check.exe,” which is a reconnaissance tool that enumerates the Active Directory through PowerShell.