UNC2596 exploits Microsoft’s ProxyShell and ProxyLogon vulnerabilities to distribute Cuba Ransomware

Threat Level – Amber | Vulnerability Report
Download PDF


For a detailed advisory, download the pdf file here

Threat actor UNC2596 popularly known for their Ecrime business has targeted more than 50 organizations in 11+ countries. The threat actors increased their initial attack vector by exploiting proxyshell and proxylogon vulnerabilities to deploy Cuba ransomware.

The UNC2596 threat actor has used web shells to load the TERMITE in-memory dropper during intrusions, with further activity involving various backdoors and built-in Windows tools. The threat actor has also employed new malware, such as WEDGECUT to enumerate active hosts, BURNTCIGAR to disable endpoint security, and the BUGHATCH custom downloader, in addition to familiar tools such as Cobalt Strike BEACON and NetSupport. UNC2596 employed a multi-pronged extortion technique in which data was stolen and leaked on the group’s shame website, in addition to encrypting with Cuba ransomware.

Organizations can mitigate the risk by following the recommendations:

•Have an effective backup strategy that ensures the backup are inaccessible from the endpoint.•Keep all operating systems and software up to date.•Implement a user training program and phishing exercises.

The Mitre TTPs used by UNC2596 in the current attack are:

TA0001: Initial AccessTA0007: DiscoveryTA0040: ImpactTA0009: CollectionTA0005: Defense EvasionTA0003: PersistenceTA0011: Command and ControlTA0042: Resource DevelopmentTA0002: ExecutionTA0008: Lateral MovementTA0006: Credential AccessT1190: Exploit Public-Facing ApplicationT1010: Application Window DiscoveryT1012: Query RegistryT1016: System Network Configuration DiscoveryT1018: Remote System DiscoveryT1033: System Owner/User DiscoveryT1057: Process DiscoveryT1082: System Information DiscoveryT1083: File and Directory DiscoveryT1087: Account DiscoveryT1518: Software DiscoveryT1486: Data Encrypted for ImpactT1489: Service StopT1056.001: KeyloggingT1021.004: SSHT1555.003: Credentials from Web BrowsersT1021.001: Remote Desktop ProtocolT1112: Modify RegistryT1134: Access Token ManipulationT1134.001: Token Impersonation/TheftT1140: Deobfuscate/Decode Files or InformationT1497.001: System ChecksT1553.002: Code SigningT1564.003: Hidden WindowT1574.011: Services Registry Permissions WeaknessT1620: Reflective Code LoadingT1098: Account ManipulationT1136: Create AccountT1136.001: Local AccountT1543.003: Windows ServiceT1071.001: Web ProtocolsT1071.004: DNST1095: Non-Application Layer ProtocolT1105: Ingress Tool TransferT1573.002: Asymmetric CryptographyT1583.003: Virtual Private ServerT1587.003: Digital CertificatesT1588.003: Code Signing CertificatesT1608.001: Upload MalwareT1608.002: Upload ToolT1608.003: Install Digital CertificateT1608.005: Link TargetT1053: Scheduled Task/JobT1059: Command and Scripting InterpreterT1059.001: PowerShellT1129: Shared ModulesT1569.002: Service Execution

Actor Detail

Vulnerability Details

Indicators of Compromise (IoCs)

Recent Breaches




Patch Links











What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox