An affiliate of the Hive ransomware group has been actively targeting vulnerable Microsoft Exchange servers to deploy ransomware.
Hive first emerged in 2021 and operates on a ransomware-as-a-service basis. RaaS ransomware providers provide the code and customer service to affiliates who undertake the attacks themselves. Typically the RaaS model involves the creator of the malicious code charging a monthly fee for access and/or taking a cut of any successful ransomware attack.
The Hive attack on Exchange was detailed by researchers at Veronis Systems Inc. following one of their customers being targeted in a ransomware attack. In the attack, multiple devices and file services were compromised by Hive.
The attack vector for this attack was targeting multiple ProxyShell Exchange security vulnerabilities. ProxyShell attacks on Exchange servers have been used in the past by ransomware gangs such as Conti and is an evolution of an earlier attack method known as ProxyLogon.
The ProxyShell attacks take advantage of three vulnerabilities in Exchange – CVE-2021-34474, CVE-2021-34523 and CVE-2021-31207 that were patched by Microsoft in April and May last year. The problem remains that not every user updates their Exchange installs.
Having gained access to the targeted victim, the Hive affiliate then placed a malicious webshell backdoor script in a publicly accessible directly on the Exchange server. These scripts could then executive malicious PowerShell code over the compromised server.
The next stage of the attack included the download of a remote command and control server associated with the Cobalt Strick framework, followed by installing other tools. The affiliates then scan for sensitive information and deploy the ransomware.
“While Microsoft Exchange and cloud-hosted SaaS applications provide some encryption at the application level, ransomware-as-a-service infections can utilize multiple attack vectors across Microsoft Azure and AWS, as these public cloud infrastructures are not natively encrypted,” Rajiv Pimplasker, chief executive officer of virtual private network company Dispersive Holdings Inc., told SiliconANGLE.
“To maintain zero trust principles at the networking level, a third-party vendor-provided VPN should be implemented in a mesh topology that can obfuscate and protect all public cloud traffic and eliminate vulnerabilities,” Pimplasker added. “These solutions should also include endpoint device checking to minimize the likelihood of malware infections and credential theft.”