Hive ransomware used to attack Exchange Server
Hackers affiliated with Hive try to penetrate Microsoft Exchange Servers by building in a so-called backdoor. Once inside, they explore their victim’s computer network and steal system administrator credentials. They also collect confidential data and install malware.
This is apparent from an analysis by Varonis. The cybersecurity company has been approached by a party that has been the victim of a ransomware attack.
According to the security company, the hackers are targeting companies with Microsoft Exchange Server that have security issues with ProxyShell. ProxyShell is the name for three vulnerabilities in Microsoft Exchange Server that allow attackers to execute arbitrary code without remote authentication. This is also known as Remote Code Execution or RCE. Hacker groups such as Conti, BlackByte, Babuk and LockFile have abused this in the past.
The vulnerabilities are classified as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31297. On a scale of 1 to 10, with 10 being a critical vulnerability, the exploits score between 7.2 (high) to 9.8 (critical).
This is how the perpetrators worked
The hackers installed four web shells in an Exchange directory. Then they ran a PowerShell code that brought in Cobalt Strike. Using malware called Mimikatz, the perpetrators stole the password of a system administrator. The hackers misused his credentials to explore the network.
According to Varonis, the attackers used network scanners to retrieve valuable data. With this they wanted to extort the victim and demand a higher ransom amount. After the data was collected, a ransomware payload called ‘windows.exe’ was executed on multiple computers. Among other things, this disabled Windows Defender deleted all log files and made sure that the system administrator could do nothing to stop this.
China accused of cyber-attacks via Microsoft Exchange Server
In March 2021, the vulnerabilities of the Microsoft Exchange Server came to light. Tens of thousands of organizations worldwide had become victims of the vulnerabilities. In May, Microsoft rolled out a patch that resolved the security vulnerabilities.
According to an international coalition – consisting of the EU, US, UN, NATO, Canada, Australia, New Zealand, Japan and the United Kingdom – China was behind these attacks. China denied having anything to do with it.
Hive operates in the Netherlands
The recent attack that Varonis studied used malware from Hive. This hacker group rents out its ransomware to hackers, who use it to attack companies and organizations. The developers do not risk getting caught and get a share of the proceeds. We also call this revenue model Ransomware-as-a-Service.
Hive is an international hacker group associated with numerous cyber attacks on hospitals and other healthcare facilities. Jan Hanstede, analyst at Z-CERT, the Computer Emergency Response Team for the Dutch healthcare sector, warned at the end of last year to be alert to the hacker group and to put the security of computer systems and networks in order.
Hive is also responsible for the cyberattack on MediaMarkt in November 2021. Customers could purchase products in branches in the Netherlands, Belgium, Luxembourg and Germany. Picking up or returning orders was temporarily impossible because the internet cables had been removed from the cash registers. The perpetrators demanded $50 million in ransom. A spokesperson for the retailer denied that customer data had been stolen.
Catch up on more articles here
Follow us on Twitter here