March 01, 2022

UNC2596 & Cuba Ransomware

Industry: Construction Engineering, Education, Energy, Financial, Government, Healthcare, Legal, Manufacturing, Media, Oil, Technology and Transportation | Level: Tactical | Source: Mandiant

Mandiant reports activity from threat group, UNC2596, deploying Cuba/COLDDRAW ransomware utilizing Exchange vulnerabilities ProxyShell and ProxyLogon. The threat group has targeted over 10 countries with 80% of the organizations based in North America. Industry targets involved many different verticals including construction engineering, education, energy, financial, government, health care, legal, manufacturing, media, oil, technology and transportation. The threat group’s extortion model incorporates a shaming website distributed to victims since 2021. UNC2596 attack tactics have included Mimikatz and user account creation for privilege escalation. Reconnaissance has involved a ping sweeping tool and a PowerShell script that uses “Get-ADComputer”. Lateral movement is facilitated with the use of RDP, SMB, and PsExec. UNC2596 completes its operation by collecting, encrypting and exfiltrating data using batch scripts.

  • Anvilogic Use Cases:
    • Potential ProxyShell
    • Potential PHP Webshell
    • Mimikatz
    • Create/Add Local/Domain User
    • Potential Ping Sweep
    • Common Active Directory Commands
    • Remote Admin Tools
    • RDP Hijacking