Three ProxyShell vulnerabilities in unpatched Microsoft Exchange Server implementations, for which Microsoft issued patches in 2021, are still being exploited by the Hive ransomware gang, according to Varonis Systems. The group is infamous for specifically targeting the healthcare and energy sectors, among others.
Vulnerable Microsoft Exchange servers are being actively targeted by an affiliate of the Hive ransomware gang. Data protection company Varonis Systems recently discovered instances of attacks against Exchange Servers vulnerable to the Proxyshell vulnerabilities discovered last year.
The three ProxyShell vulnerabilities, viz., CVE-2021-34473 (CVSS: 9.8), CVE-2021-34523 (CVSS: 9.8), CVE-2021-31207 (CVSS: 7.2), enable remote code execution, elevation of privilege, and security feature bypass, respectively, in Microsoft Exchange Server. The first two were patched in April 2021, while the patch for the third was released a month later.
Since Microsoft has not talked about the possibility of any errors in patches, the only possible explanation is that businesses are still running unpatched Microsoft Exchange Server implementations.
Organizations often delay fixing vulnerabilities for various reasons. This includes the manual processes involved, little coordination among teams that can take too much time, and the lack of precise prioritization needs.
As a result, ransomware gangs are increasingly hunting for and targeting unpatched flaws. Ivanti’s Ransomware Spotlight Year-End ReportOpens a new window states that ransomware groups exploited or attempted to exploit 65 new vulnerabilities in 2021. Additionally, 56% of the 223 vulnerabilities discovered before 2021 were being actively targeted by ransomware groups as of December 2021.
Two of the three ProxyShell vulnerabilities have a CVSS rating of 9.8, which is almost as good as it can get for attackers. It signifies how readily available systems are for threat actors, and keeping them unpatched is like serving them up on a platter. Varonis said that the Hive affiliate managed to encrypt the target environment less than 72 hours following infiltration.
After initially gaining access through these three ProxyShell vulnerabilities, the threat actor first set up a backdoor by placing a web shell, whose source code was taken from GitHub, in a publicly accessible directory on the Exchange server. This, in turn, could execute PowerShell and enable system privileges.
This was followed by the installation of Cobalt Strike, a famous red team tool for adversary simulation to set up command and control (C2) communication. The Hive affiliate then deployed Mimikatz, another tool popular among cybercriminals, for credential dumping.
Since the threat actor already had system privileges, they created new admin accounts and used Mimikatz for credential dumping, as well as the stolen domain Administrator NTLM hash to gain access to the domain admin account.
See More: Is the REvil Ransomware Gang Back From the Brink, Or Is It an Impostor?
The next step, according to Varonis, was a lateral movement to perform extensive search operations within the network for files containing the word password to unlock additional resources. The Hive affiliate did this by dropping network scanners and collecting the IP addresses of networks, device names, and remote desktop protocols that can provide access to the backup servers and other critical assets.
“Finally, a custom-crafted malware payload named Windows.exe was delivered and executed on various devices, leading to wide encryption and denial of access to files within the organization,†Varonis said. “The payload created a plain text ransomware demand note during the encryption phase.†The result?
Hive Ransomware Encryption | Source: VaronisOpens a new window
The Hive ransomware gang first came to prominence in June 2021. It operates in a ransomware-as-a-service model and is responsible for targeting manufacturing, financial, nonprofits, media, education, nonprofits, and other sectors globally. However, its favorites are the energy and healthcare sectors.Â
Trend Micro wrote in a blog postOpens a new window , “While some ransomware groups operating as ransomware-as-a-service (RaaS) networks claim to steer clear of targeting specific sectors such as hospitals or other critical industries to avoid causing harm to people, Hive’s attacks against healthcare providers in 2021 showed that the operators behind it have no regard for such humanitarian considerations.â€
Among Hive’s latest victims is Partnership HealthPlan of California. Because of its previous nefariousness against the healthcare sector, the Department of Health and Human Services’ (HHS) Health Sector Cybersecurity Coordination Center (HC3) released an analyst noteOpens a new window warning about the Hive ransomware gang on April 18.
Hive operators/affiliates leverage double extortion as part of their ransomware operations, meaning they also exfiltrate data before encrypting it. If an organization refuses to pay a ransom, the hackers leak its data on HiveLeaks, the group’s leak site. By December 2021, HiveLeaks had 55 organizations listed as those who hadn’t paid a ransom, but its total number of victims was approximately 355 in just four monthsOpens a new window from September to December 2021.
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!