2022-03-01

UNC2596 & Cuba Ransomware

Level: 
Tactical
  |  Source: 
Mandiant
Construction
Financial
Government
Legal
Manufacturing
Transportation
Share:

UNC2596 & Cuba Ransomware

Industry: Construction Engineering, Education, Energy, Financial, Government, Healthcare, Legal, Manufacturing, Media, Oil, Technology and Transportation | Level: Tactical | Source: Mandiant

Mandiant reports activity from threat group, UNC2596, deploying Cuba/COLDDRAW ransomware utilizing Exchange vulnerabilities ProxyShell and ProxyLogon. The threat group has targeted over 10 countries with 80% of the organizations based in North America. Industry targets involved many different verticals including construction engineering, education, energy, financial, government, health care, legal, manufacturing, media, oil, technology and transportation. The threat group's extortion model incorporates a shaming website distributed to victims since 2021. UNC2596 attack tactics have included Mimikatz and user account creation for privilege escalation. Reconnaissance has involved a ping sweeping tool and a PowerShell script that uses "Get-ADComputer". Lateral movement is facilitated with the use of RDP, SMB, and PsExec. UNC2596 completes its operation by collecting, encrypting and exfiltrating data using batch scripts.

  • Anvilogic Use Cases:
  • Potential ProxyShell
  • Potential PHP Webshell
  • Mimikatz
  • Create/Add Local/Domain User
  • Potential Ping Sweep
  • Common Active Directory Commands
  • Remote Admin Tools
  • RDP Hijacking

Get trending threats published weekly by the Anvilogic team.

Sign Up Now