Microsoft Exchange servers hacked to deploy Hive ransomware

A Hive ransomware affiliate has been targeting Microsoft Trade servers susceptible to ProxyShell security issues to deploy various backdoors, together with Cobalt Strike beacon.

From there, the menace actors carry out network reconnaissance, steal admin account credentials, exfiltrate beneficial facts, in the end deploying the file-encrypting payload.

The facts arrive from safety and analytics company Varonis, who was identified as in to investigate a ransomware attack on 1 of its customers.

A widely abused initial accessibility

ProxyShell is a established of 3 vulnerabilities in the Microsoft Exchange Server that allow remote code execution without having authentication on vulnerable deployments. The flaws have been made use of by a number of threat actors, such as ransomware like Conti, BlackByte, Babuk, Cuba, and LockFile, after exploits turned available.

The flaws are tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31297, and their severity rating ranges from 7.2 (superior) to 9.8 (significant).

The safety vulnerabilities are deemed completely patched as of May perhaps 2021, but substantial complex information about them had been only created accessible in August 2021, and quickly soon after that, destructive exploitation started out [1, 2].

The actuality that Hive’s affiliate was effective in exploiting ProxyShell in a modern assault reveals that there is still space for targeting vulnerable servers.

From accessibility to encryption

Following the exploitation of ProxyShell, the hackers planted four world-wide-web shells in an accessible Trade directory, and executed PowerShell code with superior privileges to download Cobalt Strike stagers.

The website shells made use of in this unique assault had been sourced from a community Git repository and were being just renamed to evade detection throughout potential guide inspections.

Randomly-named web shells
Randomly-named web shells (Varonis)

From there, the intruders made use of Mimikatz, a credentials stealer, to snatch the password of a area admin account and perform lateral movement, accessing extra belongings in the network.

Launching a new command prompt on the affected system
Launching a new command prompt on the impacted process (Varonis)

Future, the danger actors carried out considerable file look for operations to find the most worthwhile data to tension the victim into paying out a larger ransom.

Varonis analysts have found remnants of dropped community scanners, IP handle lists, product and listing enumerations, RDPs to backup servers, scans for SQL databases, and a lot more.

A single notable scenario of network scanning software abuse was “SoftPerfect”, a light-weight resource that the menace actor made use of for enumerating live hosts by pinging them and conserving the benefits on a textual content file.

Finally, and soon after all information had been exfiltrated, a ransomware payload named “Home windows.exe” was dropped and executed on numerous equipment.

Before encrypting the organization’s documents, the Golang payload deleted shadow copies, disabled Windows Defender, cleared Home windows occasion logs, killed file-binding processes, and stopped the Safety Accounts Supervisor to incapacitate alerts.

Commands executed by the payload
Commands executed by the last payload (Varonis)

Hive evolution

Hive has absent a long way considering the fact that it was to start with noticed in the wild again in June 2021, having a effective begin that prompted the FBI to launch a focused report on its methods and indicators of compromise.

In October 2021, the Hive gang additional Linux and FreeBSD variants, and in December it grew to become a single of the most energetic ransomware operations in attack frequency.

Last thirty day period, researchers at Sentinel Labs claimed on a new payload-hiding obfuscation method employed by Hive, which suggests lively enhancement.