A ransomware gang known as Cuba is reportedly leveraging Microsoft Exchange bugs such as ProxyShell and ProxyLogon as initial infection vectors in its attacks. The threat actor has been attempting to break into organization’s networks as part of a campaign that began last August, says Mandiant. Mandiant reported that the group deploys the COLDRAW ransomware, and might be the only group to use the strain. Mandiant has not observed Cuba attacking hospitals or entities that provide urgent care, however, they have been attributed by the FBI a spate of attacks targeting at least 49 US entities in the financial, government, healthcare, manufacturing, and information-technology sectors.

The FBI reported that the Cuba ransomware is distributed via a first-stage implant and acts as a loader for additional payloads, such as the Hancitor malware that has been around for five years Cuba has explored Exchange vulnerabilities before, and other avenues of attack include phishing emails, compromised credentials, or legitimate Remote Desktop Protocol tools. Mandiant reported that the group frequently targets vulnerabilities on public-facing Microsoft Exchange software, seeking to detect which networks are vulnerable to attack.

Read More: Microsoft Exchange Bugs Exploited by ‘Cuba’ Ransomware Gang