Partner Program
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them.
IntegrationsSync with an abundant number of out-of-the-box integrations.
HiveForce LabsStrategic intelligence and operational expertise to ensure comprehensive security readiness at all levels.
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Data Sheets
Whitepapers
Press Releases
connect
Webinars & Videos
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoStart Free Trial
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them.
IntegrationsSync with an abundant number of out-of-the-box integrations.
HiveForce LabsStrategic intelligence and operational expertise to ensure comprehensive security readiness at all levels.
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Data Sheets
Whitepapers
Press Releases
connect
Webinars & Videos
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoStart Free Trial

UNC2596 exploits Microsoft’s ProxyShell and ProxyLogon vulnerabilities to distribute Cuba Ransomware

Threat Level – Amber | Vulnerability Report
Download PDF

THREAT LEVEL: Red.

For a detailed advisory, download the pdf file here

Threat actor UNC2596 popularly known for their Ecrime business has targeted more than 50 organizations in 11+ countries. The threat actors increased their initial attack vector by exploiting proxyshell and proxylogon vulnerabilities to deploy Cuba ransomware.

The UNC2596 threat actor has used web shells to load the TERMITE in-memory dropper during intrusions, with further activity involving various backdoors and built-in Windows tools. The threat actor has also employed new malware, such as WEDGECUT to enumerate active hosts, BURNTCIGAR to disable endpoint security, and the BUGHATCH custom downloader, in addition to familiar tools such as Cobalt Strike BEACON and NetSupport. UNC2596 employed a multi-pronged extortion technique in which data was stolen and leaked on the group’s shame website, in addition to encrypting with Cuba ransomware.

Organizations can mitigate the risk by following the recommendations:

•Have an effective backup strategy that ensures the backup are inaccessible from the endpoint.•Keep all operating systems and software up to date.•Implement a user training program and phishing exercises.

The Mitre TTPs used by UNC2596 in the current attack are:

TA0001: Initial AccessTA0007: DiscoveryTA0040: ImpactTA0009: CollectionTA0005: Defense EvasionTA0003: PersistenceTA0011: Command and ControlTA0042: Resource DevelopmentTA0002: ExecutionTA0008: Lateral MovementTA0006: Credential AccessT1190: Exploit Public-Facing ApplicationT1010: Application Window DiscoveryT1012: Query RegistryT1016: System Network Configuration DiscoveryT1018: Remote System DiscoveryT1033: System Owner/User DiscoveryT1057: Process DiscoveryT1082: System Information DiscoveryT1083: File and Directory DiscoveryT1087: Account DiscoveryT1518: Software DiscoveryT1486: Data Encrypted for ImpactT1489: Service StopT1056.001: KeyloggingT1021.004: SSHT1555.003: Credentials from Web BrowsersT1021.001: Remote Desktop ProtocolT1112: Modify RegistryT1134: Access Token ManipulationT1134.001: Token Impersonation/TheftT1140: Deobfuscate/Decode Files or InformationT1497.001: System ChecksT1553.002: Code SigningT1564.003: Hidden WindowT1574.011: Services Registry Permissions WeaknessT1620: Reflective Code LoadingT1098: Account ManipulationT1136: Create AccountT1136.001: Local AccountT1543.003: Windows ServiceT1071.001: Web ProtocolsT1071.004: DNST1095: Non-Application Layer ProtocolT1105: Ingress Tool TransferT1573.002: Asymmetric CryptographyT1583.003: Virtual Private ServerT1587.003: Digital CertificatesT1588.003: Code Signing CertificatesT1608.001: Upload MalwareT1608.002: Upload ToolT1608.003: Install Digital CertificateT1608.005: Link TargetT1053: Scheduled Task/JobT1059: Command and Scripting InterpreterT1059.001: PowerShellT1129: Shared ModulesT1569.002: Service Execution

Actor Detail

Vulnerability Details

Indicators of Compromise (IoCs)

Recent Breaches

http://www.get-integrated.com

https://www.muntons.com/

https://www.cmmcpas.com

Patch Links

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26855

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26857

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26858

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27065

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34523

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207

References

https://www.mandiant.com/resources/unc2596-cuba-ransomware

 

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox