Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Microsoft Exchange Servers Hacked to Deploy Cuba Ransomware

Microsoft Exchange Servers Hacked to Deploy Cuba Ransomware

The Cuba ransomware operation is exploiting Microsoft Exchange vulnerabilities to gain initial access to corporate networks and encrypt devices.

Cybersecurity firm Mandiant tracks the ransomware gang as UNC2596 and the ransomware itself as COLDDRAW. However, the ransomware is more commonly known as Cuba, which is how BleepingComputer will reference them throughout this article.

Cuba is a ransomware operation that launched at the end of 2019, and while they started slow, they began to pick up speed in 2020 and 2021. This increase in activity led to the FBI issuing a Cuba ransomware advisory in December 2021, warning that the gang breached 49 critical infrastructure organizations in the U.S.

In a new report by Mandiant, researchers show that the Cuba operation primarily targets the United States, followed by Canada.

Also Read: 7 Phases Of Data Life Cycle Every Business Must Be Informed

Cuba ransomware victims heat map
Cuba ransomware victims heat map
Source: Mandiant

Mixing commodity and custom malware

The Cuba ransomware gang was seen leveraging Microsoft Exchange vulnerabilities to deploy web shells, RATs, and backdoors to establish their foothold on the target network since August 2021.

“Mandiant has also identified the exploitation of Microsoft Exchange vulnerabilities, including ProxyShell and ProxyLogon, as another access point leveraged by UNC2596 likely as early as August 2021,” explains Mandiant in a new report.

Also Read: How To Delete Security Camera Footage: 5 Different Ways

The planted backdoors include Cobalt Strike or the NetSupport Manager remote access tool, but the group also uses their own ‘Bughatch’, ‘Wedgecut’, and ‘eck.exe”, and Burntcigar’ tools.

Wedgecut comes in the form of an executable named “check.exe,” which is a reconnaissance tool that enumerates the Active Directory through PowerShell.

Bughatch is a downloader that fetches PowerShell scripts and files from the C&C server. To evade detection, it loads in memory from a remote URL.

Burntcigar is a utility that can terminate processes at the kernel level by exploiting a flaw in an Avast driver, which is included with the tool for a “bring your own vulnerable driver” attack.

Finally, there’s a memory-only dropper that fetches the above payloads and loads them, called Termite. However, this tool has been observed in campaigns of multiple threat groups, so it’s not used exclusively by the Cuba threat actors.

The threat actors escalate privileges using stolen account credentials sourced through the readily available Mimikatz and Wicker tools.

Then they perform network reconnaissance with Wedgecut, and next, they move laterally with RDP, SMB, PsExec, and Cobalt Strike.

The subsequent deployment is Bughatch loaded by Termite, followed by Burntcigar, which lays the ground for data exfiltration and file encryption by deactivating security tools.

The Cuba gang doesn’t use any cloud services for the exfiltration step but instead sends everything onto their own private infrastructure.

Cuba ransomware note to victims
Cuba ransomware note to victims
Source: Mandiant

An evolving operation

Back in May 2021, Cuba ransomware partnered with the spam operators of the Hancitor malware to gain access to corporate networks through DocuSign phishing emails.

Since then, Cuba has evolved its operations to target public-facing services vulnerabilities, such as the Microsoft Exchange ProxyShell and ProxyLogon vulnerabilities.

This shift makes the attacks more potent but also easier to thwart, as security updates that plug the exploited issues have been available for many months now.

The Cuba operation will likely turn its attention to other vulnerabilities once there are no more valuable targets running unpatched Microsoft Exchange servers.

This means that applying the available security updates as soon as the software vendors release them is key in maintaining a robust security stance against even the most sophisticated threat actors.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us