An affiliate of the Hive ransomware group has been actively targeting vulnerable Microsoft Exchange servers to deploy the malware.

Hive, which emerged in 2021, operates on a ransomware-as-a-service basis. RaaS ransomware purveyors provide the code and customer service to affiliates who undertake the attacks themselves. Typically the RaaS model involves the creator of the malicious code charging a monthly fee for access or taking a cut of any successful ransomware attack, or both.

The Hive attack on Exchange was detailed April 19 by researchers at Varonis Systems Inc. following one of its customers being targeted in a ransomware attack. In the attack, multiple devices and file services were compromised by Hive.

The attack vector for this attack was multiple ProxyShell Exchange security vulnerabilities. These attacks on Exchange servers have been used in the past by ransomware gangs such as Conti.ProxyShell is an evolution of an earlier attack method known as ProxyLogon.

The ProxyShell attacks take advantage of three vulnerabilities in Exchange, formally named CVE-2021-34474, CVE-2021-34523 and CVE-2021-31207. They were patched by Microsoft in April and May last year, but the problem is that not all users update their Exchange installations.

Having gained access to the targeted victim, the Hive affiliate then placed a malicious webshell backdoor script in a publicly accessible place directly on the Exchange server. These scripts could then execute malicious PowerShell code over the compromised server.

The next stage of the attack included the download of a remote command-and-control server associated with the Cobalt Strike framework, followed by the installation of other tools. The affiliates then scan for sensitive information and deploy the ransomware.

“While Microsoft Exchange and cloud-hosted SaaS applications provide some encryption at the application level, ransomware-as-a-service infections can utilize multiple attack vectors across Microsoft Azure and AWS, as these public cloud infrastructures are not natively encrypted,” Rajiv Pimplaskar, chief executive officer of virtual private network company Dispersive Holdings Inc., told SiliconANGLE.

“A third-party vendor-provided VPN should be implemented in a mesh topology that can obfuscate and protect all public cloud traffic and eliminate vulnerabilities. These solutions should also include endpoint device checking to minimize the likelihood of malware infections and credential theft,” he furthered.

Image: Varonis