The ransomware gang known as ‘Cuba‘ is exploiting Microsoft Exchange bugs – including ProxyShell and ProxyLogon – as initial infection vectors. The group has been prying open these chinks in victims’ armour for many months, researchers reported.
Researchers noted that the group deploys the COLDDRAW ransomware. In fact, Cuba may be the only group that uses COLDDRAW, or, at least, it’s the only group of cyber criminals using it among those tracked, “which may suggest it’s exclusively used by the group,” researchers said.
In December, the FBI attributed a spate of attacks to the group. At the time, it was noted that Cuba ransomware is distributed using a first-stage implant that acts as a loader for follow-on payloads: the Hancitor malware, which has been around for a number of years.
This isn’t the first time that Cuba has shown a taste for Exchange vulnerabilities, either. They’re just one method that Hancitor operators use in order to gain initial access to target machines. Other routes include phishing emails, and the exploitation of compromised credentials or legitimate Remote Desktop Protocol (RDP) tools.
True to form, researchers observed the group “frequently” picking apart vulnerabilities on public-facing Microsoft Exchange infrastructure as an initial compromise vector. “The threat actors likely perform initial reconnaissance activities to identify internet-facing systems that may be vulnerable to exploitation,” researchers said.
Next, Cuba deployed webshells to establish a foothold in the compromised network. Then, actors planted backdoors to establish a foothold, including the publicly available NetSupport RAT, as well as BEACON and BUGHATCH, which have been deployed using the TERMITE in-memory dropper. The operators have mainly used credentials from valid accounts to escalate privileges, researchers noted. It’s not always clear where they got the credentials from, but at least in some cases, they were stolen with credential-stealing tools such as Mimikatz and WICKER.
Researchers added: “We have also observed these threat actors manipulating or creating Windows accounts and modifying file access permissions. In one intrusion, the threat actor created a user account and added it to the admin and RDP groups.”
In order to identify active network hosts to potentially encrypt and files to exfiltrate, Cuba has used WEDGECUT, a reconnaissance tool, which sends PING requests to a list of hosts generated by a PowerShell script that enumerates the Active Directory.
Then, the crooks peek around to see what files might be of interest. They also routinely use a script to map all drives to network shares, “which may assist in user file discovery,” researchers noted.
Cuba threat actors have used several methods for lateral movement, including RDP, SMB, and PsExec, “frequently using BEACON to facilitate this movement,” researchers said. Then they deploy various backdoors, including NetSupport, as well as BEACON and BUGHATCH, which are often deployed using the TERMITE in-memory dropper.
To finish their extortion work, the gang tries to steal files and encrypt networked machines, with the threat of publishing content to a shaming site hanging over companies who are encouraged to pay a ransom. According to researchers, Cuba is using webshells to load the TERMITE dropper: a password-protected, memory-only dropper with an encrypted shellcode payload. The payloads have included BEACON malware, the Metasploit stager or the group’s custom BUGHATCH downloader.
Cuba isn’t the only threat actor using the TERMITE dropper: Mandiant said that it’s apparently used by “a limited number” of threat actors. Over six months, collected TERMITE payloads show that its keepers have been grooming TERMITE, tweaking it so it burrows in and evades detection, researchers said.
Beyond common, mainstay malware tools such as Cobalt Strike and NetSupport, analysis showed that Cuba has some novel malware up its sleeve, including:
BURNTCIGAR: a utility that terminates endpoint security software.
WEDGECUT: a reconnaissance tool that checks to see whether a list of hosts or IP addresses are online.
BUGHATCH: a custom downloader that receives commands and code from a command-and-control (C2) server to execute on a compromised system.
The researchers noted that when COLDDRAW was deployed, Cuba used what they called “a multi-faceted extortion model” – i.e., besides encrypting data, the gang leaked it on the group’s shaming site.
Cuba’s favourite industry sector to strike is manufacturing, followed by financial services. The good news for organisations? At the time of writing, there is only a solitary victim listed on the shaming website.