Cuba ransomware is more and more shifting to exploiting Exchange bugs – which includes crooks’ favorites, ProxyShell and ProxyLogon – as first an infection vectors.
The ransomware gang recognized as “Cuba” is significantly shifting to exploiting Microsoft Exchange vulnerabilities – which include ProxyShell and ProxyLogon – as preliminary an infection vectors, researchers have found.
The team has likely been prying open these chinks in victims’ armor as early as previous August, Mandiant described on Wednesday.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
Mandiant, which tracks the menace actor as UNC2596, observed that the team deploys the COLDDRAW ransomware. In fact, Cuba may be the only group that works by using COLDDRAW: At least, it’s the only risk actor utilizing it among those tracked by Mandiant, “which could suggest it is completely employed by the group,” researchers said.
Cuba Has Rated an FBI Warning
In a December flash notify, the FBI attributed a spate of attacks – on at minimum 49 U.S. entities in the fiscal, govt, healthcare, producing and information and facts-technology sectors – to the team. For what it is worth, Mandiant has not viewed Cuba attacking hospitals or other entities that offer urgent care.
At the time, the FBI mentioned that the Cuba ransomware is distributed making use of a 1st-stage implant that functions as a loader for observe-on payloads: the Hancitor malware, which has been close to for at least five years.
This is not the very first time that Cuba has shown a flavor for Exchange vulnerabilities, both. They are just a person way that Hancitor operators obtain original access to target devices: Other avenues include phishing e-mail, and the exploitation of compromised qualifications or genuine Remote Desktop Protocol (RDP) equipment, according to the FBI’s December warn.
Microsoft Trade Motion
Genuine to variety, Mandiant observed the group “frequently” buying apart vulnerabilities on community-facing Microsoft Trade infrastructure as an original compromise vector. “The menace actors very likely accomplish initial reconnaissance activities to establish internet-going through units that may be susceptible to exploitation,” researchers mentioned.
Upcoming, Cuba deployed webshells to set up a foothold in the compromised network. Then, the actors planted backdoors to set up a foothold, which include the publicly readily available NetSupport RAT, as perfectly as BEACON and BUGHATCH, which have been deployed employing the TERMITE in-memory dropper.
The operators have generally employed qualifications from valid accounts to escalate privileges, scientists famous. It’s not normally crystal clear where by they bought the qualifications from, but at least in some cases, they were stolen with credential-thieving equipment these as Mimikatz and WICKER.
“We have also noticed these danger actors manipulating or developing Windows accounts and modifying file entry permissions,” scientists additional. In one particular intrusion, the risk actor made a consumer account and included it to the admin and RDP teams, they claimed.
Infection Chain
In get to recognize energetic network hosts to potentially encrypt and data files to exfiltrate, Cuba has applied WEDGECUT, a reconnaissance instrument, which sends PING requests to a record of hosts created by a PowerShell script that enumerates the Lively Listing.
Then, the crooks peek close to to see what files could be of fascination. They also routinely use a script to map all drives to network shares, “which could assist in person file discovery,” researchers observed.
Cuba danger actors have applied various techniques for lateral movement, which includes RDP, SMB, and PsExec, “frequently using BEACON to aid this movement,” Mandiant said. Then they deploy different backdoors, including NetSupport, as effectively as BEACON and BUGHATCH, which are generally deployed making use of the TERMITE in-memory dropper.
To finish up their extortion perform, the gang tries to steal data files and encrypt networked machines, threatening to publish to the shaming web page exfiltrated data belonging to companies that balk at having to pay ransom.
Much more Resources, Far more Malware
According to Mandiant’s report, Cuba is utilizing webshells to load the TERMITE dropper: a password-safeguarded, memory-only dropper with an encrypted shellcode payload. The payloads have bundled BEACON malware, the Metasploit stager or the group’s personalized BUGHATCH downloader.
Cuba isn’t the only threat actor using the TERMITE dropper: Mandiant reported that it is evidently employed by “a confined number” of threat actors.
Above the study course of 6 months, collected TERMITE payloads demonstrate that its keepers have been grooming TERMITE, tweaking it so as to much better burrow in and evade detections, scientists stated.
Custom made-Rolled Malware & Tools
Past typical, mainstay malware applications these types of as Cobalt Strike and NetSupport, Mandiant’s assessment showed that Cuba has some novel malware up its sleeve, which includes:
BURNTCIGAR: a utility that terminates endpoint security software program.
WEDGECUT: a reconnaissance software that checks to see irrespective of whether a listing of hosts or IP addresses are online.
BUGHATCH: a custom downloader that receives commands and code from a command-and-regulate (C2) server to execute on a compromised method.
The scientists mentioned that when COLDDRAW was deployed, Cuba applied what they known as “a multi-faceted extortion model” – i.e., in addition to encrypting info, the gang leaked it on the group’s shaming site, which is depicted beneath in all its cigar-chomping glory.
Who Does Cuba Adore the Ideal?
The the vast majority – 80 % – of companies victimized by Cuba are primarily based in North The united states, but Cuba enjoys the United States more than wherever. As demonstrated by the sufferer map beneath, the United States is Cuba’s favourite goal, adopted by Canada, although the team does go right after European international locations and other areas.
Its preferred marketplace sector to decide on is producing, adopted by financial providers.
With regards to the victims stated on its shaming web-site – which the gang has had up because only early 2021 – Cuba presents a sufferer checklist for free, but it also retains a individual listing that you have to pay to see. Mandiant bit the bullet and sprang for that paid out portion.
It was sparse, to say the the very least: “[The] compensated portion … mentioned only a one victim at the time of publication,” its report claimed.
Moving to the cloud? Discover emerging cloud-security threats alongside with sound advice for how to defend your belongings with our Totally free downloadable E book, “Cloud Security: The Forecast for 2022.” We discover organizations’ major dangers and issues, most effective practices for defense, and guidance for security results in this kind of a dynamic computing natural environment, which includes useful checklists.
Some parts of this short article are sourced from:
threatpost.com