Hive ransomware affiliate targets vulnerable Microsoft Exchange servers

The New Hive ransomware incident reveals the operations and how attackers target the particular organizations

Attackers exploit PowerShell to deploy ransomware

The most recent attack carried out by the affiliate involved the exploitation of ProxyShell vulnerabilities in the Microsoft Exchange Server. The attack on these servers has the goal of deploying additional malware like backdoors.^[1] The particular Cobalt Strike beacon was also used here.

Threat actors can perform network reconnaissance and steal admin account credentials, and exfiltrate other data from machines. File encryption virus deployment is the ultimate goal, but attackers can access various valuable and sensitive data. These attackers managed to encrypt the environment in less than 72 hours from the initial infiltration.^[2]

The incident analysis shows that the attackers used a widely abused initial access vulnerability. The ProxyShell is the set of flaws in the Microsoft Exchange Server that allows the remote code execution without authentication on the targeted system. These flaws have been widely used by other groups before.

The exploitation of ProxyShell leads to file encryption

These flaws tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31297 range from 7.2 to 9.8 in severity. These security vulnerabilities are considered patched fully since May 2021, but the reveal of particular technical details was followed by extensive exploitations. The incident with the Hive ransomware affiliates and these recent attacks show that it is still possible to exploit ProxyShell to this day and that there are still issues that need to be taken care of.

The vulnerability helps to infiltrate the system. Then hackers can plant web shells in accessible Exchange directories and execute wanted PowerShell codes with high privileged. This is where Cobalt Strike and other backdoors, and malware can be downloaded.^[3]

From there information stealers, and credential stealers get used to gather passwords of domain admin accounts, so lateral movements can be performed. This is how further access to the network is initiated. File search operations help to find more valuable data that can be locked then, so the ransom sum can be larger, and it is more likely to get paid.

Hive ransomware ensures the persistence

The ransomware commonly triggers various processes to keep the virus persistent. Hive ransomware finds files to encrypt, but before the encoding, the Golang payload deletes Shadow copies, disables Windows Defender, clears event logs, and stops various processes. Then the encryption runs and locks valuable and commonly used data on the system.

Hive ransomware is a threat that was discovered back in June 2021. These operations have been triggering issues and attacked the attention of security researchers. FBI has released a particular report^[4] to indicate tactics and compromising attacks.

Ransomware attacks in general have been growing over the last years and remain the major issue and a preferred method of cybercriminals who aim to gain maximum profits. FBI and other agencies constantly report and warn about various ransomware gangs and attacks, particularly targeting industries and organizations.

Recent reports show that cryptovirus creators regularly target the US agriculture sector. A number of attacks against such entities during the critical season indicate the switch in targets. These attacks can lead to disrupted operations, financial losses, and negative impacts on the global and national food supply chain. The latest attack involves the major LockBit 2.0 ransomware and a multi-state grain company.^[5]