Hackers use ProxyShell and ProxyLogon vulnerabilities in Microsoft Exchange to deploy web shells and Trojans.
Cuba ransomware operators exploit vulnerabilities in Microsoft Exchange to gain initial access to corporate networks and encrypt devices. Specialists of the Mandiant information security company tracking an extortionate group called UNC2596, and the extortionate program itself as COLDDRAW (also known as Cuba).
Cybercriminals primarily target Microsoft Exchange devices in the United States, as well as in Canada. Hackers have been using ProxyShell and ProxyLogon vulnerabilities in Microsoft Exchange to deploy web shells, Trojans for remote access and backdoors since August 2021. Backdoors include Cobalt Strike beacons and the NetSupport Manager remote access tool, but the grouping also uses its own tools Bughatch, Wedgecu, eck.exe and Burntcigar.
Wedgecut is supplied as an executable file with the name check.exe, which is an intelligence tool for enumerating Active Directory via PowerShell.
Bughatch is a loader that extracts PowerShell scripts and files from the command server. The malware is loaded into memory from a remote URL in order to avoid detection.
Burntcigar is a utility capable of terminating processes at the kernel level using a vulnerability in the Avast driver.
Attackers elevate privileges using stolen credentials obtained using the available Mimikatz and Wicker tools. They then scout the network using Wedgecut and move around the network using RDP, SMB, PsExec and Cobalt Strike.