The ransomware gang identified as Cuba is increasingly shifting to exploiting Exchange bugs – like crooks’ favorites, ProxyShell and ProxyLogon – as preliminary an infection vectors.
The ransomware gang recognised as “Cuba” is progressively shifting to exploiting Microsoft Trade vulnerabilities – like ProxyShell and ProxyLogon – as initial infection vectors, scientists have discovered.
The group has likely been prying open up these chinks in victims’ armor as early as previous August, Mandiant reported on Wednesday.
Mandiant, which tracks the threat actor as UNC2596, famous that the group deploys the COLDDRAW ransomware. In reality, Cuba may well be the only team that utilizes COLDDRAW: At the very least, it’s the only threat actor working with it amid those people tracked by Mandiant, “which may possibly advise it is solely utilised by the group,” scientists explained.
Cuba Has Rated an FBI Warning
In a December flash warn, the FBI attributed a spate of attacks – on at the very least 49 U.S. entities in the financial, federal government, health care, manufacturing and info-technology sectors – to the group. For what it’s well worth, Mandiant hasn’t witnessed Cuba attacking hospitals or other entities that offer urgent treatment.
At the time, the FBI mentioned that the Cuba ransomware is distributed working with a to start with-stage implant that acts as a loader for stick to-on payloads: the Hancitor malware, which has been all over for at least five a long time.
This is not the first time that Cuba has shown a flavor for Exchange vulnerabilities, both. They are just just one way that Hancitor operators achieve original access to focus on devices: Other avenues include things like phishing e-mail, and the exploitation of compromised credentials or legitimate Remote Desktop Protocol (RDP) instruments, according to the FBI’s December inform.
Microsoft Trade Motion
Genuine to type, Mandiant observed the team “frequently” choosing apart vulnerabilities on general public-going through Microsoft Trade infrastructure as an original compromise vector. “The menace actors likely perform preliminary reconnaissance things to do to establish internet-going through systems that could be vulnerable to exploitation,” researchers said.
Up coming, Cuba deployed webshells to create a foothold in the compromised network. Then, the actors planted backdoors to create a foothold, such as the publicly offered NetSupport RAT, as perfectly as BEACON and BUGHATCH, which have been deployed using the TERMITE in-memory dropper.
The operators have mostly applied credentials from legitimate accounts to escalate privileges, scientists observed. It’s not often distinct the place they obtained the credentials from, but at minimum in some circumstances, they were stolen with credential-stealing resources these as Mimikatz and WICKER.
“We have also observed these danger actors manipulating or generating Windows accounts and modifying file access permissions,” scientists additional. In one intrusion, the menace actor designed a person account and added it to the admin and RDP groups, they explained.
Infection Chain
In order to determine energetic network hosts to likely encrypt and data files to exfiltrate, Cuba has utilised WEDGECUT, a reconnaissance resource, which sends PING requests to a list of hosts produced by a PowerShell script that enumerates the Lively Directory.
Then, the crooks peek all around to see what documents may be of fascination. They also routinely use a script to map all drives to network shares, “which may support in user file discovery,” researchers pointed out.
Cuba danger actors have applied numerous approaches for lateral motion, like RDP, SMB, and PsExec, “frequently utilizing BEACON to facilitate this motion,” Mandiant said. Then they deploy various backdoors, including NetSupport, as well as BEACON and BUGHATCH, which are generally deployed employing the TERMITE in-memory dropper.
To complete up their extortion get the job done, the gang tries to steal files and encrypt networked devices, threatening to publish to the shaming web site exfiltrated knowledge belonging to corporations that balk at paying out ransom.
Additional Instruments, A lot more Malware
In accordance to Mandiant’s report, Cuba is making use of webshells to load the TERMITE dropper: a password-protected, memory-only dropper with an encrypted shellcode payload. The payloads have involved BEACON malware, the Metasploit stager or the group’s personalized BUGHATCH downloader.
Cuba isn’t the only menace actor using the TERMITE dropper: Mandiant claimed that it’s apparently employed by “a restricted number” of danger actors.
Around the training course of 6 months, gathered TERMITE payloads display that its keepers have been grooming TERMITE, tweaking it so as to much better burrow in and evade detections, scientists reported.
Custom made-Rolled Malware & Equipment
Further than common, mainstay malware instruments these types of as Cobalt Strike and NetSupport, Mandiant’s evaluation showed that Cuba has some novel malware up its sleeve, like:
BURNTCIGAR: a utility that terminates endpoint security software package.
WEDGECUT: a reconnaissance resource that checks to see regardless of whether a listing of hosts or IP addresses are on-line.
BUGHATCH: a customized downloader that gets instructions and code from a command-and-control (C2) server to execute on a compromised technique.
The researchers pointed out that when COLDDRAW was deployed, Cuba utilised what they known as “a multi-faceted extortion model” – i.e., apart from encrypting data, the gang leaked it on the group’s shaming site, which is depicted underneath in all its cigar-chomping glory.
Who Does Cuba Appreciate the Finest?
The greater part – 80 % – of corporations victimized by Cuba are primarily based in North The us, but Cuba loves the United States additional than any where. As demonstrated by the sufferer map below, the United States is Cuba’s favored target, followed by Canada, nevertheless the group does go right after European nations around the world and other locations.
Its most loved field sector to select on is producing, followed by fiscal services.
With regards to the victims outlined on its shaming website – which the gang has had up considering the fact that only early 2021 – Cuba presents a victim checklist for free, but it also retains a separate listing that you have to pay out to see. Mandiant bit the bullet and sprang for that paid out section.
It was sparse, to say the the very least: “[The] compensated portion … mentioned only a solitary victim at the time of publication,” its report explained.
Moving to the cloud? Find emerging cloud-security threats together with strong advice for how to defend your belongings with our Free of charge downloadable Ebook, “Cloud Security: The Forecast for 2022.” We investigate organizations’ top rated challenges and troubles, finest methods for defense, and assistance for security good results in such a dynamic computing natural environment, which includes helpful checklists.
Some parts of this article are sourced from:
threatpost.com