The Cuba ransomware group have been using the BURNTCIGAR loader utility to install a malicious driver signed through MS certificate last month. Based on reports, Microsoft has disclosed that the culprit of the exploitation is targeting the flawed Exchange servers for a critical Server-Side Request Forgery (SSRF) vulnerability.
Researchers initially revealed this vulnerability a couple of months ago and warned that malicious actors could exploit it.
The Cuba ransomware operators have allegedly abused the Microsoft SSRF flaw to expand its threat scope.
Recent investigations from Microsoft and other third-party researchers showed that the Cuba ransomware actors are actively widening their attack scope by employing new strategies whenever they have discovered something new.
The Cuba ransomware recently exploited the Microsoft SSRF zero-day flaw (CVE-2022-41080) to infect vulnerable Microsoft Exchange servers. Researchers also found that a threat actor (DEV-0671) has been using the flaw to hijack Exchange servers and launch the Cuba ransomware payloads.
In a similar incident, the Play ransomware group exploited the same severity flaw on Rackspace’s network. The group used the bug to deploy several tools, such as AnyDesk and Plink, to acquire remote access to the targeted infected servers.
Fortunately, Microsoft published security updates to deal with the bug in November last year and has given its customers details about protection from this attack method.
CISA included this critical flaw in its Known Exploited Vulnerabilities Catalog and disseminated a memo, commanding the Federal Civilian Executive Branch Agencies (FCEB) agencies to fix their systems and remove the bug.
The Cuba ransomware operations have been a pest to most researchers and users, especially when paired up with well-adopted and clever crimeware techniques. Last month, federal law enforcement agencies warned everyone about this ransomware group’s increasing attacks.
MS Exchange server users should prioritise patching the earlier mentioned vulnerability to avoid exploitation attempts from the Cuba ransomware group and other threat actors.
