Although keeping your software updated and downloading files from trusted sources only is a standard cybersecurity practice, given the rise in malware attacks recently, it's clear that more education is needed on this front. To that end, the Varonis Forensics Team has provided some guidance on how the attackers using Hive ransomware are targeting Microsoft Exchange Servers in its latest series of attacks. For those unaware, Hive follows a ransomware-as-a-service model.
Although Microsoft patched Exchange servers against known vulnerabilities in 2021 and most organizations did update, some did not. Hive is now targeting these vulnerable server instances through ProxyShell vulnerabilities to gain SYSTEM privileges. A PowerShell script then launches a Cobalt Strike and creates a new system administrator account called "user".
After this, Mimikatz is used to steal the NTLM hash of the domain admin and gain control of that account. Following successful compromise, Hive performs some discovery where it deploys network scanners to store IP address, scans files containing "password" in the file name, and attempts to RDP into backup servers to access sensitive assets.
Lastly, a custom malware payload is deployed and executed through a "windows.exe" file that steals and encrypts files, deletes shadow copies, clears event logs, and disables security mechanisms. Subsequently, a ransomware note is displayed which asks the organization to get in touch with Hive's "sales department" hosted on a .onion address accessible via the Tor network. The compromised organization is also provided with the following instructions:
- Do not modify, rename or delete *.key. files. Your data will be undecryptable.
- Do not modify or rename encrypted files. You will lose them.
- Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything.
- Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself.
- Do not reject to (sic) purchase. Exfiltrated files will be publicly disclosed.
The last bullet point is certainly interesting because if a payment is not made to Hive, their information will be posted on the "HiveLeaks" Tor website. A countdown is shown on the same website to pressure the victim into paying up.
The security team noted that in one instance, it saw attackers managing to encrypt environments within 72 hours of initial compromise. As such, it has recommended organizations to patch Exchange servers immediately, rotate complex passwords periodically, block SMBv1, restrict access as much as possible, and train employees in the domain of cybersecurity.