The Cuba ransomware, known for impacting dozens of organizations globally including critical infrastructure, has over the past year started targeting Microsoft Exchange vulnerabilities in order to gain initial access.
The ransomware, which is known for encrypting the files on compromised networks with the “.cuba” extension, has previously been distributed via the Hancitor malware, a loader known for executing second-stage malware onto victim networks, including stealers, remote access trojans (RATs) and ransomware. In order to gain initial access, the malware leverages phishing emails or compromised credentials.
However, researchers with Mandiant have observed that as early as August the attackers behind the ransomware started directly targeting the ProxyShell and ProxyLogon flaws, rather than being deployed via the loader.
“Shifting towards vulnerabilities for initial access could offer threat actors more accurate targeting and higher success rates when compared to malicious email campaigns, which rely more on uncontrollable factors, such as victims’ interacting with malicious links or documents,” said Tyler McLellan, Joshua Shilko and Shambavi Sadayappan, with Mandiant, in an analysis this week. "As the number of vulnerabilities identified and publicly disclosed continues to increase year after year, Mandiant has also observed an increase in the use of vulnerabilities as an initial compromise vector by ransomware threat actors including utilizing both zero-day and n-day vulnerabilities in their activity."
Mandiant researchers said the threat actor behind the Cuba ransomware, which they label UNC2596, is known to leak stolen data on the group’s shaming website. The actors have previously demanded at least $74 million from victims and received at least $43.9 million in ransom payments, according to the FBI.
Cuba ransomware operations have impacted organizations across more than ten countries (with about 80 percent of victims in North America), including those in critical infrastructure sectors. In a December advisory, the FBI previously said it identified the actors compromising at least 49 entities in five critical infrastructure sectors, including the financial, government, healthcare, manufacturing and IT sectors.
“As the number of vulnerabilities publicly disclosed continues to rise, we anticipate threat actors, including ransomware operators, to continue to exploit vulnerabilities in their operations."
After gaining initial access via the Exchange vulnerabilities, the ransomware has typically deployed webshells to establish a foothold in victim networks, escalate privileges and perform internal reconnaissance to identify network hosts that are potential candidates for encryption or files to use for extortion.
Previous Cuba ransomware incidents have leveraged a number of public tools, including remote control software NetSupport and built-in Windows capabilities such as PsExec, RDP, and PowerShell. Researchers have also observed attackers using credential-theft tools available for purchase like Wicker, and exploits with publicly available proof-of-concept code.
However, the actor also uses a number of private tools, including ones that researchers said they have not observed in use by other threat activity clusters. These include a reconnaissance tool that researchers called Wedgecut, which has a filename check.exe and checks whether a list of hosts or IP addresses are online using ICMP packets; a downloader called Bughatch that executes arbitrary code on the compromised system; and a utility called Burntcigar (utilized more recently by the group, starting in November) that terminates processes associated with endpoint security software.
The ransomware "is above average for sophistication, the threat actors are using a custom packer we haven't seen used by any other groups, this has allowed them to avoid detection even though the ransomware itself has had some known samples available for a while now," said McLellan. The ransomware "will also just encrypt the beginning and end of some larger files, showing an interest in having the maximum impact as quick as possible, and it can search network drives to encrypt across a victim's network from a single system," he said.
Mandiant researchers noted that UNC2596 is one of many ransomware actors to increasingly shift to exploiting flaws as part of their initial infection vector, with others including financially motivated group UNC2447 and ransomware and extortion gang FIN11.
“As the number of vulnerabilities publicly disclosed continues to rise, we anticipate threat actors, including ransomware operators, to continue to exploit vulnerabilities in their operations,” said researchers.