A malicious threat group called UNC2596 has leveraged the Microsoft Exchange flaw to distribute the Cuba ransomware. Researchers explained that the group uses ransomware to target several corporate networks and encrypt their devices.
UNC2596 has been spreading the same campaigns since the start of August last year. The group has eyed multiple organisations, utility providers, and government agencies that support non-profit organisations and the healthcare sector.
The researchers also noted that approximately 80% of the affected victim organisations are in Australia, Canada, the US, and several other nations based in Europe and North America.
Furthermore, the threat group’s multi-staged extortion campaign includes exfiltrating and stealing data, encrypting systems, and threatening to publish, trade, or sell it.
The UNC2596 threat group has focused on the MS Exchange flaw to acquire initial access to the target network and deploy the Cuba ransomware.
The hackers leveraged ProxyShell and ProxyLogon as an initial attack transmitter to deploy the ransomware mentioned earlier. Experts said that Cuba is also known for its other name COLDRAW ransomware.
Furthermore, they utilise commodity and custom malware and various backdoors to establish persistence on their target network.
These commodities include tools and malware such as SMB, PsExec, Wicker, Cobalt Strike beacon, NetSupport, Mimikatz, RDP, and Termite. In addition, it also includes exclusive tools such as Wedgecut, eck.exe, Burntcigar, and Bughatch.
Some researchers also observed overlaps between CHANITOR malware-related operations and Cuba ransomware incidents. Some of the spotted similarities are infrastructure overlaps, shared packer usage, standard code signing certificates, and coding identicality for URLs paths, files, and domains.
The abuse of known flaws such as the MS Exchange vulnerabilities offers the threat actors more precise targeting and a higher infection success rate. A sophisticated threat group like UNC2596 may alter their focus to other flaws and draw the attention of some other groups toward this issue.
Users can develop shields for attacks by using available security updates as software providers release them.