Recently, ransomware gang UNC2596 has been observed leveraging Microsoft Exchange vulnerabilities to target corporate networks and encrypt devices.

About the targets

According to a report by Mandiant researchers, UNC2596 has been launching such campaigns since August 2021.
  • The group has targeted utility providers, government agencies, and organizations that support non-profits and healthcare entities.
  • Around 80% of the impacted victim organizations are based in the U.S., Canada, Australia, and several other countries in North America and Europe.
  • UNC2596’s multi-faceted extortion campaign steals data, exfiltrates it prior to encrypting victim systems, and threatens to publish or sell it.

Attack tools and tactics

UNC2596 has focused on Microsoft Exchange vulnerabilities to gain initial access to the target network.
  • Attackers leveraged Microsoft Exchange vulnerabilities ProxyShell and ProxyLogon as an initial attack vector to deploy COLDDRAW ransomware, publicly known as Cuba ransomware.
  • To a great extent, the ransomware gang uses commodity and custom malware and a variety of backdoors to establish its foothold on the target network.
  • These include malware and utilities such as Cobalt Strike beacon, NetSupport, Mimikatz, RDP, SMB, PsExec, Wicker, and Termite, as well as its exclusive tools Bughatch, Wedgecut, eck.exe, and Burntcigar.

The CHANITOR connection

Mandiant has observed overlaps between CHANITOR (aka Hancitor) malware-related operations and Cuba incidents, including infrastructure overlaps, common code signing certificates, use of a shared packer, and naming similarities for domains, files, and URLs paths.


The exploitation of known vulnerabilities offers the threat actors more accurate targeting and higher success rates in their operations. A sophisticated group like UNC2596 may shift its focus to other vulnerabilities and can also draw the attention of other hacking groups toward this trend. Users can create barriers for potential attacks by applying the available security updates as soon as the software vendors release them.

Cyware Publisher