The Cuba ransomware group is exploiting Microsoft Exchange vulnerabilities to gain initial access to enterprise networks and eventually deploy ransomware, according to security researchers at Mandiant. Cuba ransomware has been around since 2019, but their activity increased in 2021 prompting the FBI to issue a FLASH advisory. The FLASH, which was shared by WaterISAC, indicated that since November 2021, Cuba ransomware threat actors had targeted at least 49 critical infrastructure entities.

According to Mandiant’s latest report, the Cuba ransomware gang has been utilizing Microsoft Exchange vulnerabilities to deploy web shells, RATs, and backdoors on unpatched servers to secure a foothold on target networks since August 2021. The gang’s attack pattern also includes using stolen credentials to escalate privileges, followed by network reconnaissance, lateral movement, ultimately resulting in data exfiltration and file encryption. Members are encouraged to verify the status of Microsoft Exchange security updates to reduce the risk from exploitation of these vulnerabilities. Read more at BleepingComputer.