UNC2596 exploits Microsoft’s ProxyShell and ProxyLogon vulnerabilities to distribute Cuba Ransomware

Threat Advisories

UNC2596 exploits Microsoft’s ProxyShell and ProxyLogon vulnerabilities to distribute Cuba Ransomware


For a detailed advisory, download the pdf file here

Threat actor UNC2596 popularly known for their Ecrime business has targeted more than 50 organizations in 11+ countries. The threat actors increased their initial attack vector by exploiting proxyshell and proxylogon vulnerabilities to deploy Cuba ransomware.

The UNC2596 threat actor has used web shells to load the TERMITE in-memory dropper during intrusions, with further activity involving various backdoors and built-in Windows tools. The threat actor has also employed new malware, such as WEDGECUT to enumerate active hosts, BURNTCIGAR to disable endpoint security, and the BUGHATCH custom downloader, in addition to familiar tools such as Cobalt Strike BEACON and NetSupport. UNC2596 employed a multi-pronged extortion technique in which data was stolen and leaked on the group’s shame website, in addition to encrypting with Cuba ransomware.

Organizations can mitigate the risk by following the recommendations:

•Have an effective backup strategy that ensures the backup are inaccessible from the endpoint.
•Keep all operating systems and software up to date.
•Implement a user training program and phishing exercises.

The Mitre TTPs used by UNC2596 in the current attack are:

TA0001: Initial Access
TA0007: Discovery
TA0040: Impact
TA0009: Collection
TA0005: Defense Evasion
TA0003: Persistence
TA0011: Command and Control
TA0042: Resource Development
TA0002: Execution
TA0008: Lateral Movement
TA0006: Credential Access
T1190: Exploit Public-Facing Application
T1010: Application Window Discovery
T1012: Query Registry
T1016: System Network Configuration Discovery
T1018: Remote System Discovery
T1033: System Owner/User Discovery
T1057: Process Discovery
T1082: System Information Discovery
T1083: File and Directory Discovery
T1087: Account Discovery
T1518: Software Discovery
T1486: Data Encrypted for Impact
T1489: Service Stop
T1056.001: Keylogging
T1021.004: SSH
T1555.003: Credentials from Web Browsers
T1021.001: Remote Desktop Protocol
T1112: Modify Registry
T1134: Access Token Manipulation
T1134.001: Token Impersonation/Theft
T1140: Deobfuscate/Decode Files or Information
T1497.001: System Checks
T1553.002: Code Signing
T1564.003: Hidden Window
T1574.011: Services Registry Permissions Weakness
T1620: Reflective Code Loading
T1098: Account Manipulation
T1136: Create Account
T1136.001: Local Account
T1543.003: Windows Service
T1071.001: Web Protocols
T1071.004: DNS
T1095: Non-Application Layer Protocol
T1105: Ingress Tool Transfer
T1573.002: Asymmetric Cryptography
T1583.003: Virtual Private Server
T1587.003: Digital Certificates
T1588.003: Code Signing Certificates
T1608.001: Upload Malware
T1608.002: Upload Tool
T1608.003: Install Digital Certificate
T1608.005: Link Target
T1053: Scheduled Task/Job
T1059: Command and Scripting Interpreter
T1059.001: PowerShell
T1129: Shared Modules
T1569.002: Service Execution

Actor Detail

UNC2596 exploits Microsoft’s ProxyShell and ProxyLogon vulnerabilities to distribute Cuba Ransomware_AD

Vulnerability Details

Indicators of Compromise (IoCs)

UNC2596 exploits Microsoft’s ProxyShell and ProxyLogon vulnerabilities to distribute Cuba Ransomware

Recent Breaches




Patch Links