{"id":97373,"date":"2022-04-25T06:56:18","date_gmt":"2022-04-25T06:56:18","guid":{"rendered":"https:\/\/www.stellarinfo.com\/blog\/?p=97373"},"modified":"2023-07-20T06:57:49","modified_gmt":"2023-07-20T06:57:49","slug":"hive-ransomware-exchange-servers-proxyshell-attack","status":"publish","type":"post","link":"https:\/\/www.stellarinfo.com\/blog\/hive-ransomware-exchange-servers-proxyshell-attack\/","title":{"rendered":"Hive Ransomware Affiliate Targeting Microsoft Exchange Servers"},"content":{"rendered":"

Microsoft Exchange Servers have now become a target of an affiliate of the Hive ransomware group. Varonis — a data security and analytics firm — recently shared details of a ransomware attack investigation carried out by their forensics team on one of their customers’ servers. The team found that multiple file servers and devices in the organization were compromised and encrypted by a threat group called Hive<\/strong>.<\/p>

Hive, <\/strong>first came to light in June 2021, is one of the most active threat groups targeting Exchange Servers with ProxyShell<\/a> (authentication bypass) vulnerabilities. ProxyShell<\/strong> is a set of three vulnerabilities (CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473) when chained together, allow the threat actors to bypass authentication and execute malicious codes, install web shells, etc. The ProxyShell vulnerabilities have been exploited by various threat groups earlier to spread Babuk<\/a>, BlackByte<\/a>, Cuba<\/a>, LockFile<\/a>, etc., ransomware on Exchange Servers.<\/p>

Though these vulnerabilities were patched by Microsoft in April and May 2021, many Exchange Servers are still unpatched. According to a report by Shodan<\/a>, more than 7000 verified Exchange Servers are still unpatched and vulnerable to ProxyShell attacks.<\/p>

\"exchange<\/figure>

How are Hive Attacking Vulnerable Exchange Servers?<\/h2>

The ProxyShell vulnerabilities lie in the Microsoft Exchange Client Access Server (CAS), usually exposed to the internet. This makes it easier for the threat actors to identify or find Exchange Servers with ProxyShell vulnerabilities, exploit the vulnerabilities, and compromise the organization’s network, servers, and devices.<\/p>

The Hive ransomware group uses an affiliate-based ransomware variant (or Ransomware-as-a-service) to target vulnerable Exchange Servers and enables affiliates to utilize the compromised servers as they desire.<\/p>

According to Varonis<\/a>, the Hive group uses the common ransomware tactics, techniques, and procedures (TTP) to exploit the Exchange Server vulnerabilities, compromise the server, and encrypt the business data for a ransom.<\/p>

After encrypting or stealing the data, a plaintext ransom note is dropped on the victims’ system, threatening them to meet their conditions, or their data will be published on HiveLeaks<\/strong>— a tor site on the dark web.  <\/p>

How to Protect your Organization from Hive Ransomware Attack?<\/h2>

To protect your organization from Hive and other ransomware threat groups targeting ProxyShell vulnerabilities and other flaws in Exchange Server, update your servers with the latest Cumulative Update or Security Update.<\/p>

There is no other way around to protect your servers from these attacks. So, in addition to installing updates, you should also take active measures to strengthen your server security.<\/p>

Organizations running Exchange Server 2010 should immediately upgrade to Exchange 2016 or later to continue receiving Security Updates and patch vulnerabilities.  <\/p>

Steps to Protect Exchange Server from Hive (ProxyShell Attack)<\/h2>

You can follow the steps discussed below to identify the vulnerabilities and fix or patch them to safeguard your organization against ProxyShell and other malicious attacks.<\/p>

Step 1: Check Exchange Server Health<\/h3>

You can use Microsoft Exchange Server Health Checker Script (HealthChecker.ps1) to check your server’s health and identify the issues and vulnerabilities you need to patch.<\/p>

The steps are as follows:<\/p>