The Cuba ransomware campaign uses Microsoft Exchange vulnerabilities to get early access to business networks and encrypt devices. The ransomware gang is known as UNC2596, and the malware itself is famous as COLDDRAW, according to the cybersecurity company Mandiant. However, it is frequently called Cuba.
Cuba is a ransomware campaign that began in late 2019, and while it started slowly, it picked up steam in 2020 and 2021. In December 2021, the FBI issued a Cuba ransomware notice, stating that the group had infiltrated 49 critical infrastructure firms in the United States.
According to a recent report by Mandiant, researchers indicate that the Cuba operation predominantly targets the United States, followed by Canada. Since August 2021, the Cuba ransomware gang has been using Microsoft Exchange vulnerabilities to launch web shells, RATs, and backdoors to foothold the target network.
“Mandiant has also identified the exploitation of Microsoft Exchange vulnerabilities, including ProxyShell and ProxyLogon, as another access point leveraged by UNC2596 likely as early as August 2021,” clarifies Mandiant in a new report.
Cobalt Strike or the NetSupport Manager, remote access tool, are among the backdoors planted, although the organization also employs its own ‘Bughatch,’ ‘Wedgecut,’ and ‘eck.exe’ tools, as well as Burntcigar.’
Wedgecut is distributed as a program called “check.exe,” which is a reconnaissance tool that uses PowerShell to enumerate the Active Directory.
Bughatch is a C&C server downloader that retrieves PowerShell scripts and files. It loads in memory from a remote URL to avoid detection.
Burntcigar is a program that may terminate processes at the kernel level by exploiting a weakness in an Avast driver provided with the tool as part of a “bring your own vulnerable driver” attack.
Lastly, there is Termite, a memory-only dropper that downloads and loads the payloads mentioned earlier. However, this technology has been used in campaigns by various threat organizations, indicating that Cuban threat actors do not solely employ it. Threat actors use stolen account credentials obtained with the widely accessible Mimikatz and Wicker tools to escalate privileges.
They then use Wedgecut to undertake network reconnaissance before using RDP, SMB, PsExec, and Cobalt Strike to migrate laterally. Bughatch is then loaded by Termite, followed by Burntcigar, which disables security mechanisms and creates the groundwork for data exfiltration and file encryption. Instead of sending everything to their private infrastructure, the Cuban gang does not use cloud services for the exfiltration process.
Cuba ransomware teamed up with spammers behind the Hancitor malware in May 2021 to get access to business networks using DocuSign phishing emails. Since then, Cuba’s efforts have shifted to focus on vulnerabilities in public-facing services, such as the Microsoft Exchange ProxyShell and ProxyLogon flaws. Because security fixes to fix the exploited weaknesses have been available for months, this move makes the cyberattacks more potent and easier to prevent.
The Cuba operation will likely shift its focus to other vulnerabilities once there are no more lucrative targets using unpatched Microsoft Exchange servers. It implies that implementing security updates as soon as they become available from software providers is critical to maintaining a strong security posture against even the most sophisticated threat actors.