UPDATED 21:14 EDT / APRIL 21 2022


Hive ransomware affiliate targets vulnerable Microsoft Exchange servers

An affiliate of the Hive ransomware group has been actively targeting vulnerable Microsoft Exchange servers to deploy the malware.

Hive, which emerged in 2021, operates on a ransomware-as-a-service basis. RaaS ransomware purveyors provide the code and customer service to affiliates who undertake the attacks themselves. Typically the RaaS model involves the creator of the malicious code charging a monthly fee for access or taking a cut of any successful ransomware attack, or both.

The Hive attack on Exchange was detailed April 19 by researchers at Varonis Systems Inc. following one of its customers being targeted in a ransomware attack. In the attack, multiple devices and file services were compromised by Hive.

The attack vector for this attack was multiple ProxyShell Exchange security vulnerabilities. These attacks on Exchange servers have been used in the past by ransomware gangs such as Conti.ProxyShell is an evolution of an earlier attack method known as ProxyLogon.

The ProxyShell attacks take advantage of three vulnerabilities in Exchange, formally named CVE-2021-34474, CVE-2021-34523 and CVE-2021-31207. They were patched by Microsoft in April and May last year, but the problem is that not all users update their Exchange installations.

Having gained access to the targeted victim, the Hive affiliate then placed a malicious webshell backdoor script in a publicly accessible place directly on the Exchange server. These scripts could then execute malicious PowerShell code over the compromised server.

The next stage of the attack included the download of a remote command-and-control server associated with the Cobalt Strike framework, followed by the installation of other tools. The affiliates then scan for sensitive information and deploy the ransomware.

“While Microsoft Exchange and cloud-hosted SaaS applications provide some encryption at the application level, ransomware-as-a-service infections can utilize multiple attack vectors across Microsoft Azure and AWS, as these public cloud infrastructures are not natively encrypted,” Rajiv Pimplaskar, chief executive officer of virtual private network company Dispersive Holdings Inc., told SiliconANGLE.

“A third-party vendor-provided VPN should be implemented in a mesh topology that can obfuscate and protect all public cloud traffic and eliminate vulnerabilities. These solutions should also include endpoint device checking to minimize the likelihood of malware infections and credential theft,” he furthered.

Image: Varonis

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.

Click here to join the free and open Startup Showcase event.