Cuba Ransomware gang hacking Microsoft Exchange Servers


Microsoft issued a press update that Cuba Ransomware gang were after its exchange servers after exploiting critical server-side request forgery (SSRF) vulnerability. Incidentally, the same flaw is also being exploited by ‘Play’ Ransomware group that hacked into the cloud servers of Rackspace via an OWASSRF exploit.

Windows OS giant says that the threat actors were striking the servers after bypassing ProxyNotShell URL rewrite abilities.

Both the vulnerabilities that are now being used by two gangs spreading ransomware were identified and patched by the Redmond giant at the end of November 2022.

The report is also available to customers using Microsoft 365 defender, and Defender endpoint plan 2 or for business subscribers holding a premium plan.

Coming the earnings statistics of Cuba Ransomware, the said notorious gang of criminals struck around 100 targets till August last year on a global note and raked in $60 million in ransoms.

Surprisingly, the gang members are not very active online, thus making it difficult to track them down. They either launch attack campaigns at the end of months or in the past months of a year and end their activities by August of every year.

It is unclear whether they go on a holiday afterwards or hired for the capabilities by other gangs.

FBI issued an advisory in December last year stating that the Cuba gang is after US Critical infrastructure, as they have already targeted 49 organizations, including companies that are into generation and distribution of power and a water utility. As the impact was minimal, the activity went unnoticed by the media, but was notified to the Biden administration.

Argentina’s Judiciary of Cordoba, Belgium City of Antwerp, Rackspace and the German H-Hotels are some of its targeted companies for now.


Naveen Goud is a writer at Cybersecurity Insiders covering topics such as Mergers & Acquisitions, Startups, Cyber Attacks, Cloud Security and Mobile Security

No posts to display