Hive Affiliates Exploiting Exchange ProxyLogon Vulnerability
Share this:
Hive ransomware affiliate group has been indulged in targeting vulnerable Microsoft Exchange servers to deploy the malware.
Hive, which emerged earlier last year typically a ransomware-as-a-service basis. RaaS ransomware provides the code and customer service to affiliates who undertake the attacks themselves. Typically, the RaaS model involves the creator of the malicious code charging a monthly fee for access or taking a cut of any successful ransomware attack, or both.
The Hive attack on Exchange was detailed by Veronis Systems Inc. following one of its customers being targeted in a ransomware attack, where multiple devices and file services were compromised by Hive.
The attack vector for this attack was multiple ProxyShell Exchange security vulnerabilities. These attacks on Exchange servers have been used in the past by ransomware gangs such as Conti.ProxyShell is an evolution of an earlier attack method known as ProxyLogon.
The ProxyShell attacks take advantage of three vulnerabilities in Exchange, formally named CVE-2021-34474, CVE-2021-34523 and CVE-2021-31207. They were patched by Microsoft in April and May last year, but the problem is that not all users update their Exchange installations.
Having gained access to the targeted victim, the Hive affiliate then placed a malicious web shell backdoor script in a publicly accessible place directly on the Exchange server. These scripts could then execute malicious PowerShell code over the compromised server.
The next stage of the attack included the download of a remote command-and-control server associated with the Cobalt Strick framework, followed by the installation of other tools. The affiliates then scan for sensitive information and deploy the ransomware.
Most of the applications are providing encryption at their native level, RaaS operators are more sophisticated and use advanced tools to escape the sandboxing environment and break the traditional AV systems. Strongly encrypted traffic should always persist for connectivity in which the publicly available threats are prevented from intruding and infecting. Proper endpoint checks need to be in place that constantly checks before initiating the connections.
