{"id":94986,"date":"2022-02-28T11:31:22","date_gmt":"2022-02-28T11:31:22","guid":{"rendered":"https:\/\/www.stellarinfo.com\/blog\/?p=94986"},"modified":"2023-07-20T07:00:06","modified_gmt":"2023-07-20T07:00:06","slug":"cuba-ransomware-targeting-vulnerable-exchange-servers","status":"publish","type":"post","link":"https:\/\/www.stellarinfo.com\/blog\/cuba-ransomware-targeting-vulnerable-exchange-servers\/","title":{"rendered":"Cuba Ransomware Targeting Vulnerable Exchange Servers- Patch Now"},"content":{"rendered":"

Microsoft Exchange Servers with flaws across the globe are hit by yet another ransomware termed Cuba ransomware<\/strong>.  <\/p>

The ransomware gang is exploiting the Exchange Server vulnerabilities, including ProxyLogon<\/a> and ProxyShell<\/a>, to gain initial access to the organizations’ network and encrypt the connected devices for a ransom.<\/p>

Cuba Ransomware History<\/h2>

Cuba ransomware operation started in late 2019. Initially slow, ransomware picked up the pace in 2020 and 2021. FBI had issued an advisory<\/a> on Cuba ransomware back in December 2021 after 49 U.S. based organizations in at least five critical infrastructure sectors, such as IT, manufacturing, financial, government, and healthcare were compromised.<\/p>

According to the FBI, the threat actors behind the attacks have demanded $74 million and received at least $43+ million in ransom payments from their victims.<\/p>

Mandiant tracks<\/a> (a cyber-security firm) has codenamed the gang as UNC2596<\/strong>—known for leaking stolen data on the groups’ shaming websites (sites where threat actors publish or sell stolen data), and the Cuba ransomware as COLDDRAW<\/strong>.<\/p>

The report by Mandiant tracks shows that the gang is primarily targeting critical organizations based in the United States and Canada, followed by Australia, Austria, Belgium, Columbia, Germany, India, Jordon, Poland, and the United Kingdom.<\/p>

\"mandiant
Image Source – Mandiant <\/figcaption><\/figure>

How is Cuba Ransomware Gang Compromising the Exchange Server?<\/h2>

The Cuba ransomware is distributed via a loader called Hancitor malware<\/a>—used for dropping and executing stealers, such as publically available NetSupport Remote Access Trojans or RATs, BUGHATCH, and create backdoors for persistent access and lateral movements in the targeted organizations’ network.<\/p>

The gang uses phishing emails to target Exchange Servers flaws, compromised user credentials, or Remote Desktop Protocol (RDP) tools to gain initial access. After gaining the initial access, the ransomware installs the CobaltStrike beacon via PowerShell on the victim’s network. Upon installation, the ransomware downloads pones.exe<\/strong> for password acquisition and krots.exe<\/strong> to enable Cuba ransomware to write to compromised systems’ temporary files (TMP).<\/p>

Once the TMP file is uploaded, the korts.exe<\/strong> is deleted, and the TMP file, including the API calls related to memory injection executed on the compromised network. After TMP file execution, the file is deleted, and the compromised system starts communicating with the malware repository.<\/p>

Sample Cuba Note,<\/strong><\/p>

Good day. All your files are encrypted. For decryption, contact us.\nWrite here iracomp3@protonmail.com\nWe also inform you that we downloaded your databases, FTP server, and file server to our servers.\n* Do not rename encrypted files\n* Do not try to decrypt your data using third party software,\nit may cause permanent data loss.<\/pre>
How to Protect Exchange Servers from Cuba Ransomware?<\/h2>
To protect Exchange Servers against Cuba and other ransomware or malicious attacks, follow these FBI recommendations<\/a>.<\/p>
Besides, patch the server immediately with the latest Security and Cumulative Updates available for your Exchange Server version.  <\/p>
Follow these steps to check the server’s health and identify vulnerabilities you need to patch.<\/p>
Step 1: Run HealthChecker Script<\/h3>
Use HealthChecker.ps1 PowerShell script released by Microsoft to check the Exchange Server health. The script currently supports Microsoft Exchange Server 2013, 2016, and 2019.<\/p>
The steps are as follows,<\/p>