Hive ransomware affiliate zeros in on Exchange servers
Threat actor exploited known vulnerabilities in the Microsoft software to compromise multiple systems
An affiliate of the aggressive Hive ransomware group is exploiting known vulnerabilities in Microsoft Exchange servers to encrypt and exfiltrate data and threaten to publicly disclose the information if the ransom isn't paid.
In a recent attack on an unnamed organization, the Hive affiliate rapidly compromised multiple devices and file servers by exploiting the ProxyShell vulnerabilities in Exchange servers, encrypting the data within 72 hours of the start of the attack, threat hunters with data security vendor Varonis Systems said in a report this week.
The attack included all the hallmarks of one associated with Hive, a ransomware-as-a-service (RaaS) group that emerged in June 2021 and has targeted a range of sectors, including healthcare, retail, nonprofits, and energy providers.
It included the malware that encrypts the data and – as is becoming more common in ransomware attacks – the added threat of data disclosure to further incentivize the victim to pay the ransom.
(Ransomware groups increasingly will add a third threat, saying they will wipe files clean if the ransom isn't paid, though that didn't happen in this case.)
The Hive group has established itself as a particularly aggressive organization in the relatively short time it has been around. According to a report in December from threat intelligence firm Intel 471, Hive was the fourth most active ransomware operator. In another report last year, cybersecurity company Group-IB attributed 335 ransomware attacks to Hive or Hive affiliates.
The threat group operates in the ascending RaaS space, leasing its ransomware technology and support to other organizations. Cybersecurity vendor Sophos reported that over an 18-month period, 60 percent of the ransomware attacks it investigated were RaaS incidents.
In an alert [PDF] this week, the US Health and Human Services (HHS) agency warned healthcare providers about the Hive threat.
- REvil resurrected? Ransomware crew appears to be back. Keyword: Appears
- Emotet reestablishes itself at the top of the malware world
- Five Eyes nations fear wave of Russian attacks against critical infrastructure
- AWS's Log4j patches blew holes in its own security
In the attack detailed by Varonis, the attacker focused in on ProxyShell Remote Code Execution (RCE) vulnerabilities that have been used in the past by other threat groups, including Conti. Microsoft patched the flaws – tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 – a year ago, but not all organizations updated their Exchange Servers.
After exploiting the vulnerabilities, the attacker deployed a backdoor webshell that executed malicious PowerShell code in the compromised system with SYSTEM privileges and then followed with additional stagers from a command-and-control (C2) server linked to the Cobalt Strike framework. Part of the framework included an additional obfuscated PowerShell script.
The hacker took control of the domain administrator account and moved laterally through the network, according to the researchers.
"In addition to searching for files containing 'password' in their names, observed activities included dropping network scanners and collecting the networks' IP addresses and device names, followed by RDPs [Remote Desktop Protocol] to the backup servers and other critical assets," they wrote.
A new account followed by the name "user" was created to ensure persistence and added to Remote Desktop Users and Administrators groups. It used to search for the password-related files and RDP access to backup servers and other devices.
"Leveraging the stolen domain admin account, the actor performed RDP access requests using mstsc.exe following the parameter '/v' to multiple devices on the network, mainly searching for servers associated with the network backups and SQL servers," the researchers wrote. "We strongly believe that these actions were performed to confirm the ability to access the critical servers before the ransomware deployment."
The custom malware payload named "windows.exe" was deployed to multiple devices, encrypting the data and generating a ransomware note that included the threat of public disclosure of information if the victim didn't pay the ransom.
"The threat actors began their final actions by distributing a file named 'windows.exe,' which was the ransomware payload written in Golang," they wrote. "The payload performs multiple operations, including deleting shadow copies, disabling security products, clearing Windows event logs, and closing handles on files to guarantee a smooth encryption process."
The threat hunters said enterprises can take various steps to better protect themselves against such attacks, including updating Exchange servers with the latest Exchange cumulative and security patches from Microsoft, using complex passwords and ensuring users change passwords periodically, revoke local administrative permissions from domain accounts and remove inactive user accounts. ®
- Internet Explorer
- Microsoft 365
- Microsoft Build
- Microsoft Edge
- Microsoft Office
- Microsoft Surface
- Microsoft Teams
- Office 365
- Patch Tuesday
- SQL Server
- Visual Studio
- Visual Studio Code
- Windows 10
- Windows 11
- Windows 7
- Windows 8
- Windows Server
- Windows Server 2003
- Windows Server 2008
- Windows Server 2012
- Windows Server 2013
- Windows Server 2016
- Windows XP
- Xbox 360
- Zero Day Initiative