Search
  • For Individuals
      « Back
    • Windows Data Recovery

      Recovers lost or deleted Office documents, emails, presentations & multimedia files.

      Free Standard Professional Premium

    • Mac Data Recovery

      Recovers deleted files, photos, videos etc. on Mac.

      Free Standard Professional Premium

    • Photo Recovery

      Recover photos, videos, & audio files from all cameras and storage on Windows.

      Free Standard Professional Premium

    • Video Repair
    • Photo Repair
    • iPhone Data Recovery
  • For Business
      « Back
    • Email Repair & Converter

      Repair for Exchange Converter for EDB Converter for OST Converter for NSF Converter for OST MBOX Repair for Outlook

    • Database & File Repair

      Repair for MS SQL Repair for Access Repair for QuickBooks Software Repair for Excel Extractor for Windows Backup Repair for MySQL

    • Data Recovery & Erasure

      Data Recovery Professional Data Recovery Technician Mac Recovery for Technician Virtual Machine Recovery File Erasure Software Mobile Erasure Drive Erasure File Eraser Software File Eraser Software for Mac

    • Toolkit

      Exchange Toolkit Outlook Toolkit File Repair Toolkit MS SQL Toolkit Data Recovery Toolkit

    • Forensic

      Email Forensic Exchange Auditor Log Analyzer for MySQL Log Analyzer for MS SQL

  • Store
  • Partners
  • Services
  • Offers
  • Support

 

  • For Individuals
    DIY software for anyone who works with data.

    Windows Data Recovery Recovers lost or deleted Office documents, emails, presentations & multimedia files

    Free Standard Professional Premium

    Mac Data Recovery Especially for Mac users to recover deleted documents and multimedia files from macOS

    Free Standard Professional Premium

    Video Repair Windows Mac Repair multiple corrupt videos in one go. Supports MP4, MOV & other formats.

    StandardPremium

    Photo Recovery Windows Mac Recover photos, videos, & audio files from all cameras and storage on Windows.

    Standard Professional Premium

    iPhone Data Recovery Windows Mac Recover deleted photos, videos, contacts, messages etc. directly from iPhone & iPad

    Recover Erase Toolkit

    Photo Repair Windows Mac Repair multiple corrupt photos in one go. Supports JPEG & other formats.

    Standard Professional Premium


  • For Business
    • Email Repair
    • Email Converter
    • File Repair
    • Data Recovery & Erasure
    • Toolkit
    • Forensic

    Exchange Repair Repair corrupt EDB file & export mailboxes to Live Exchange or Office 365

    Outlook PST Repair Repair corrupt PST & recover all mailbox items including deleted emails & contacts

    OLM Repair Repair Outlook for Mac (OLM) 2011 & 2016 backup files & recover all mailbox items

    Exchange Toolkit Repair EDB & Exchange backup file to restore mailboxes, convert OST to PST, & convert EDB to PST

    Active Directory Repair Repair corrupt Active Directory database (Ntds.dit file) & extract all objects in original form

    EDB to PST Convert online & offline EDB file & extract all mailbox items including Public Folders in PST

    OST to PST Convert inaccessible OST file & extract all mailbox items including deleted emails in PST

    NSF to PST Convert IBM Notes NSF file & export all mailbox items including emails & attachments to PST

    MBOX to PST Convert MBOX file of Thunderbird, Entourage & other clients, & export mailbox data to PST

    OLM to PST Convert Outlook for Mac Data File (OLM) & export all mailbox data to PST in original form

    GroupWise to PST Convert GroupWise mail & export all mailbox items - emails, attachments, etc. - to PST

    EML to PST Convert Windows Live Mail (EML) file & export mailbox data - emails, attachments, etc. - to PST

    Office 365 to PST Connect to Office 365 account & export mailbox data to PST and various other formats

    DBX to PST Convert Outlook Express (DBX) file & export all mailbox data - emails, attachments, etc. - to PST

    SQL Repair Repair corrupt .mdf & .ndf files and recover all database components in original form

    Access Repair Repair corrupt .ACCDB and .MDB files & recover all records & objects in a new database

    QuickBooks Repair Repair corrupt QuickBooks® data file & recover all file components in original form

    MySQL Repair Repair MyISAM & InnoDB tables and recover all objects - keys, views, tables, triggers, etc.

    Excel Repair Repair corrupt Excel (.XLS & .XLSX) files and recover tables, charts, chart sheet, etc.

    BKF Repair Repair corrupt backup (BKF, ZIP, VHDX and .FD) files and restore complete data

    Database Converter Interconvert MS SQL, MySQL, SQLite, and SQL Anywhere database files

    PowerPoint Repair Repair corrupt PPT files and restore tables, header, footer, & charts, etc. like new

    File Repair Toolkit Repair corrupt Excel, PowerPoint, Word & PDF files & restore data to original form

    Data Recovery Windows Mac Recover lost or deleted data from HDD, SSD, external USB drive, RAID & more.

    Technician Toolkit

    Tape Data Recovery Retrives data from all types and capacities of tape drives including LTO 1, LTO 2, LTO 3, & others.

    Virtual Machine Recovery Recover documents, multimedia files, and database files from any virtual machine

    File Erasure Permanently wipe files and folders, and erase traces of apps and Internet activity.

    Standard Corporate

    Mobile Erasure Certified and permanent data erasure software for iPhones, iPads, & Android devices

    Drive Erasure Certified and permanent data erasure software for HDD, SSD, & other storage media Windows Mac

    Exchange Toolkit 5-in-1 software toolkit to recover Exchange database, convert EDB to PST, convert OST to PST, restore Exchange backup, and reset Windows Server password.

    Outlook Toolkit Comprehensive software suite to repair PST files, merge PST files, eliminate duplicate emails, compact PST files, and recover lost or forgotten Outlook passwords.

    File Repair Toolkit Powerful file repair utility to fix corrupt Word, PowerPoint, and Excel documents created in Microsoft Office. It also repairs corrupt PDF files and recovers all objects.

    MS SQL Toolkit 5-in-1 software toolkit to repair corrupt SQL database, restore database from corrupt backup, reset database password, analyze SQL logs, & interconvert databases.

    Data Recovery Toolkit Software helps to recovers deleted data from Windows, Mac and Linux storage devices. Also supports recovery from RAIDs & Virtual Drives.

    Email Forensic Advanced email forensic solution for cyber experts to audit, analyze, or investigate emails & gather evidences.

    Exchange Auditor Exchange Server monitoring solution to automate audits, scans and generate reports ìn real-time.

    Log Analyzer for MySQL Analyze forensic details of MySQL server database log files such as Redo, General Query, and Binary Log.

    Log Analyzer for MS SQL Track & analyze MS SQL Server database transactions log files.

    STELLAR EMAIL FORENSIC

    Advanced email forensic tool to analyze and collect the mailbox data of email clients

    Learn More arrow


    All Products

    All Products

    All Products

    All Products

  • Our Partners
  • Lab Services
  • Trending Searches

    Data Recovery

    Photo Recovery

    Video Repair

    iPhone Data Recovery

    File Erasure Software

    Exchange Repair

    OST to PST

    PST Repair

    Raid Recovery

    MS SQL Repair

  • English Deutsch Français Nederlands Italiano Español 日本語 简体中文
  • Support
Exchange Server 4 minute read

Hive Ransomware Affiliate Targeting Microsoft Exchange Servers

Published on April 25th, 2022
Ravi Singh
Written By
Ravi Singh
Shaun Hardneck
Approved By
Shaun Hardneck

Summary: An affiliate of the 'Hive' ransomware group is now targeting Microsoft Exchange Servers with ProxyShell vulnerabilities to access and infect the servers with malicious code or web shells. In this blog, we've discussed how Hive ransomware group targets the Exchange Server and the steps you need to take to protect your vulnerable Exchange Servers.

Hive Ransomware Affiliate Targeting Microsoft Exchange Servers

Microsoft Exchange Servers have now become a target of an affiliate of the Hive ransomware group. Varonis — a data security and analytics firm — recently shared details of a ransomware attack investigation carried out by their forensics team on one of their customers’ servers. The team found that multiple file servers and devices in the organization were compromised and encrypted by a threat group called Hive.

Hive, first came to light in June 2021, is one of the most active threat groups targeting Exchange Servers with ProxyShell (authentication bypass) vulnerabilities. ProxyShell is a set of three vulnerabilities (CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473) when chained together, allow the threat actors to bypass authentication and execute malicious codes, install web shells, etc. The ProxyShell vulnerabilities have been exploited by various threat groups earlier to spread Babuk, BlackByte, Cuba, LockFile, etc., ransomware on Exchange Servers.

Though these vulnerabilities were patched by Microsoft in April and May 2021, many Exchange Servers are still unpatched. According to a report by Shodan, more than 7000 verified Exchange Servers are still unpatched and vulnerable to ProxyShell attacks.

exchange servers vulnerable to ProxyShell vulnerabilities and attacks by Hive Ransomware

Contents

  • How are Hive Attacking Vulnerable Exchange Servers?
  • How to Protect your Organization from Hive Ransomware Attack?
  • Steps to Protect Exchange Server from Hive (ProxyShell Attack)
  • Conclusion

How are Hive Attacking Vulnerable Exchange Servers?

The ProxyShell vulnerabilities lie in the Microsoft Exchange Client Access Server (CAS), usually exposed to the internet. This makes it easier for the threat actors to identify or find Exchange Servers with ProxyShell vulnerabilities, exploit the vulnerabilities, and compromise the organization’s network, servers, and devices.

The Hive ransomware group uses an affiliate-based ransomware variant (or Ransomware-as-a-service) to target vulnerable Exchange Servers and enables affiliates to utilize the compromised servers as they desire.

According to Varonis, the Hive group uses the common ransomware tactics, techniques, and procedures (TTP) to exploit the Exchange Server vulnerabilities, compromise the server, and encrypt the business data for a ransom.

After encrypting or stealing the data, a plaintext ransom note is dropped on the victims’ system, threatening them to meet their conditions, or their data will be published on HiveLeaks— a tor site on the dark web.  

How to Protect your Organization from Hive Ransomware Attack?

To protect your organization from Hive and other ransomware threat groups targeting ProxyShell vulnerabilities and other flaws in Exchange Server, update your servers with the latest Cumulative Update or Security Update.

There is no other way around to protect your servers from these attacks. So, in addition to installing updates, you should also take active measures to strengthen your server security.

Organizations running Exchange Server 2010 should immediately upgrade to Exchange 2016 or later to continue receiving Security Updates and patch vulnerabilities.  

Steps to Protect Exchange Server from Hive (ProxyShell Attack)

You can follow the steps discussed below to identify the vulnerabilities and fix or patch them to safeguard your organization against ProxyShell and other malicious attacks.

Step 1: Check Exchange Server Health

You can use Microsoft Exchange Server Health Checker Script (HealthChecker.ps1) to check your server’s health and identify the issues and vulnerabilities you need to patch.

The steps are as follows:

  • Download the HealthChecker.ps1. The script currently supports Exchange Server 2013, 2016, and 2019.
  • Open Exchange Management Shell (EMS) and use the ‘cd‘ command to navigate to the location where HealthChecker.ps1 script is located. For instance,
cd C:\Users\UserName\Downloads\
  • Then run the following command to execute the HealthChecker.ps1 on the server.
.\HealthChecker.ps1
  • You may also generate a detailed HTML report by executing the following command.
.\HealthChecker.ps1 -BuildHtmlServersReport

A detailed HTML report is created at the same location where HealthChecker.ps1 script is located. Double-click the HTML file to open it in a web browser window.

exchange server health checker script found vulnerabilities hive ransomware

If you receive a warning or error message while running the script, bypassing the script execution policy using the following command in EMS.

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

Step 2: Download and Install Exchange Server Updates

Check the Security Vulnerabilities section and apply the required patches by installing the latest Cumulative Update, followed by Security Update available for your Exchange Server version. Refer to our detailed guide to download and install Cumulative and Security updates on Exchange Server.

Conclusion

The Hive ransomware gang is one of the most active groups currently targeting unpatched Exchange Servers — exploiting the ProxyShell vulnerabilities. Although Microsoft patched the vulnerabilities back in April and May 2021, thousands of servers are still vulnerable and exposed to the internet.

To safeguard your organization and data from malicious attacks and ransomware, install the latest Cumulative Update or Security Update available for your Exchange Server version as soon as possible.

However, if you become a victim of a malicious attack, set up a new server and restore the mailboxes from the backup. You can also use Exchange recovery software, such as Stellar Repair for Exchange, to recover mailboxes if the server has failed or databases on the compromised server become inaccessible or damaged. The tool can repair the Exchange database, extract mailboxes, and save them as PST. You may also export the recovered mailboxes directly to your newly set up Exchange Server. This helps avoid downtime and quickly resume your organization’s normal operations and activities.

We recommend you follow our frequently updated detailed blog on the latest Exchange Server updates on newer threats, vulnerabilities, and fixes.

About The Author

Ravi Singh

Ravi Singh is a Senior Writer at Stellar®. He is an expert Tech Explainer, IoT enthusiast, and a passionate nerd with over 6 years of experience in technical writing. He writes about Data Recovery, File Repair, Email Migration, Linux, Windows, Mac, and DIY Tech. Ravi spends most of his weekends working with IoT devices and playing games on the Xbox. He is also a solo traveler who loves hiking and exploring new trails.

Best Selling Products

Stellar Repair for Exchange

Software recommended by MVPs & Administr

Read More

Stellar Toolkit for Exchange

5-in-1 suite of specialized tools, highl

Read More

Stellar Converter for EDB

Stellar Converter for EDB is a professio

Read More

Stellar Converter for OST

Powerful software trusted by Microsoft M

Read More

Table of Contents    

  1. How are Hive Attacking Vulnerable Exchange Servers?
  2. How to Protect your Organization from Hive Ransomware Attack?
  3. Steps to Protect Exchange Server from Hive (ProxyShell Attack)
  4. Conclusion

Categories

Related Posts

Hackers Deploying IceApple Exploitation Framework on Hacked Exchange Servers
Exchange Server

Hackers Deploy IceApple Post-Exploitation Framework on Hacked Exchange Servers

Stellar Author Ravi Singh May 16, 2022 Read More
How to Disable Circular Logging in Exchange Server
Exchange Server

How to Disable Circular Logging in Exchange Server

Stellar Author Ravi Singh April 22, 2022 Read More
IcedID Reply-Chain Hijacking Attacks on Microsoft Exchange
Exchange Server

IcedID Reply-Chain Hijacking Attacks on Microsoft Exchange

Stellar Author Ravi Singh March 31, 2022 Read More

Stellar Official Website

Stellar Data Recovery Inc.
48 Bridge Street Metuchen,
New Jersey 08840,
United States

ALSO AVAILABLE AT

About

  • About us
  • Career
  • ISMS Policy
  • Privacy Policy
  • Terms of Use
  • License Policy
  • Refund Policy
  • End User License Agreement

RESOURCES

  • Blog
  • Articles
  • Product Videos
  • Knowledge Base
  • Case Studies
  • Whitepapers
  • Software Catalog

NEWS & EVENTS

  • News
  • Events

PARTNERS

  • Affiliates
  • Resellers
  • Distributors

Useful Links

  • Contact Us
  • Support
  • Special Offers
  • Student Discounts
  • Awards & Reviews
  • Downloads
  • Store
  • Sitemap
Follow Us

Stellar & Stellar Data Recovery are Registered Trademarks of Stellar Information Technology Pvt. Ltd. © Copyright 2022 Stellar Information Technology Pvt. Ltd. All Trademarks Acknowledged.

DMCA.com Protection Status
We use cookies on this website. By using this site, you agree that we may store and access cookies on your device Read More Got it!