Hive Ransomware Affiliate Targeting Microsoft Exchange Servers

Microsoft Exchange Servers have now become a target of an affiliate of the Hive ransomware group. Varonis — a data security and analytics firm — recently shared details of a ransomware attack investigation carried out by their forensics team on one of their customers’ servers. The team found that multiple file servers and devices in the organization were compromised and encrypted by a threat group called Hive.

Hive, first came to light in June 2021, is one of the most active threat groups targeting Exchange Servers with ProxyShell (authentication bypass) vulnerabilities. ProxyShell is a set of three vulnerabilities (CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473) when chained together, allow the threat actors to bypass authentication and execute malicious codes, install web shells, etc. The ProxyShell vulnerabilities have been exploited by various threat groups earlier to spread Babuk, BlackByte, Cuba, LockFile, etc., ransomware on Exchange Servers.

Though these vulnerabilities were patched by Microsoft in April and May 2021, many Exchange Servers are still unpatched. According to a report by Shodan, more than 7000 verified Exchange Servers are still unpatched and vulnerable to ProxyShell attacks.

How are Hive Attacking Vulnerable Exchange Servers?

The ProxyShell vulnerabilities lie in the Microsoft Exchange Client Access Server (CAS), usually exposed to the internet. This makes it easier for the threat actors to identify or find Exchange Servers with ProxyShell vulnerabilities, exploit the vulnerabilities, and compromise the organization’s network, servers, and devices.

The Hive ransomware group uses an affiliate-based ransomware variant (or Ransomware-as-a-service) to target vulnerable Exchange Servers and enables affiliates to utilize the compromised servers as they desire.

According to Varonis, the Hive group uses the common ransomware tactics, techniques, and procedures (TTP) to exploit the Exchange Server vulnerabilities, compromise the server, and encrypt the business data for a ransom.

After encrypting or stealing the data, a plaintext ransom note is dropped on the victims’ system, threatening them to meet their conditions, or their data will be published on HiveLeaks— a tor site on the dark web.  

How to Protect your Organization from Hive Ransomware Attack?

To protect your organization from Hive and other ransomware threat groups targeting ProxyShell vulnerabilities and other flaws in Exchange Server, update your servers with the latest Cumulative Update or Security Update.

There is no other way around to protect your servers from these attacks. So, in addition to installing updates, you should also take active measures to strengthen your server security.

Organizations running Exchange Server 2010 should immediately upgrade to Exchange 2016 or later to continue receiving Security Updates and patch vulnerabilities.  

Steps to Protect Exchange Server from Hive (ProxyShell Attack)

You can follow the steps discussed below to identify the vulnerabilities and fix or patch them to safeguard your organization against ProxyShell and other malicious attacks.

Step 1: Check Exchange Server Health

You can use Microsoft Exchange Server Health Checker Script (HealthChecker.ps1) to check your server’s health and identify the issues and vulnerabilities you need to patch.

The steps are as follows:

• Download the HealthChecker.ps1. The script currently supports Exchange Server 2013, 2016, and 2019.
• Open Exchange Management Shell (EMS) and use the ‘cd‘ command to navigate to the location where HealthChecker.ps1 script is located. For instance,

cd C:\Users\UserName\Downloads\

• Then run the following command to execute the HealthChecker.ps1 on the server.

.\HealthChecker.ps1

• You may also generate a detailed HTML report by executing the following command.

.\HealthChecker.ps1 -BuildHtmlServersReport

A detailed HTML report is created at the same location where HealthChecker.ps1 script is located. Double-click the HTML file to open it in a web browser window.

If you receive a warning or error message while running the script, bypassing the script execution policy using the following command in EMS.

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

Step 2: Download and Install Exchange Server Updates

Check the Security Vulnerabilities section and apply the required patches by installing the latest Cumulative Update, followed by Security Update available for your Exchange Server version. Refer to our detailed guide to download and install Cumulative and Security updates on Exchange Server.

Conclusion

The Hive ransomware gang is one of the most active groups currently targeting unpatched Exchange Servers — exploiting the ProxyShell vulnerabilities. Although Microsoft patched the vulnerabilities back in April and May 2021, thousands of servers are still vulnerable and exposed to the internet.

To safeguard your organization and data from malicious attacks and ransomware, install the latest Cumulative Update or Security Update available for your Exchange Server version as soon as possible.

However, if you become a victim of a malicious attack, set up a new server and restore the mailboxes from the backup. You can also use Exchange recovery software, such as Stellar Repair for Exchange, to recover mailboxes if the server has failed or databases on the compromised server become inaccessible or damaged. The tool can repair the Exchange database, extract mailboxes, and save them as PST. You may also export the recovered mailboxes directly to your newly set up Exchange Server. This helps avoid downtime and quickly resume your organization’s normal operations and activities.

We recommend you follow our frequently updated detailed blog on the latest Exchange Server updates on newer threats, vulnerabilities, and fixes.