Hive malware operators attack Microsoft Exchange servers

Hive ransomware operators attack Microsoft Exchange servers that are vulnerable to the notorious ProxyShell problems.

On compromised machines, attackers deploy various backdoors, including Cobalt Strike beacons, then conduct reconnaissance, steal credentials and valuable information, and only then proceed to encrypt files.

Varonis, who are investigating what is happening after a ransomware attack on one of their customers, warned about the issue.

Let me remind you that the vulnerabilities, which were collectively called ProxyShell, became known in the summer of 2021.

ProxyShell combines three vulnerabilities that allow remote code execution without authentication on Microsoft Exchange servers. These vulnerabilities exploit the Microsoft Exchange Client Access Service (CAS) running on port 443.

Let me remind you that we, פֿאַר בייַשפּיל, talked about Hancitor מאַלוואַרע, which uses phishing emails, compromised credentials, or brute-forcing RDP to access vulnerable Windows machines and exploits vulnerabilities in Microsoft Exchange.

Previously, ProxyShell bugs have already been used by many attackers, including such well-known hack groups as Conti, BlackByte, Babuk, Cuba און LockFile. צום באַדויערן, the Hive attacks show that not everyone has patched ProxyShell yet, and vulnerable servers can still be found on the network.

After exploiting ProxyShell bugs, Hive operators inject four web shells into an accessible Exchange directory and execute PowerShell code with high privileges, loading Cobalt Strike stagers. The researchers note that the web shells used in these attacks were taken from a public Git repository and then simply renamed to avoid detection.

On the attacked machines, the attackers also use the Mimikatz infostealer to steal the password from the domain administrator account and perform a lateral movement. In this way, hackers look for the most valuable data in order to force the victim to pay a ransom later.

אין צוגאב, we were able to detect remnants of remote network scanners, lists of IP addresses, devices and directories, RDP for backup servers, SQL database scans and much more.Varonis analysts write.
Only after all valuable files have been successfully stolen, the ransomware payload (named Windows.exe) is deployed. Just before encrypting files, a Golang payload also removes shadow copies, disables Windows Defender, clears Windows event logs, kills file linking processes, and stops the Security Accounts Manager to disable alerts.

העלגאַ סמיט

איך בין שטענדיק אינטערעסירט אין קאָמפּיוטער וויסנשאַפֿט, ספּעציעל דאַטן זיכערהייט און די טעמע, וואס הייסט היינט-צו-טאג "דאַטן וויסנשאַפֿט", זינט מיין פרי טינז. איידער איר קומען אין די ווירוס באַזייַטיקונג מאַנשאַפֿט ווי רעדאַקטאָר-אין-ראשי, איך געארבעט ווי אַ סייבערסעקוריטי מומחה אין עטלעכע קאָמפּאַניעס, אַרייַנגערעכנט איינער פון אַמאַזאָן ס קאָנטראַקטאָרס. אן אנדער דערפאַרונג: איך האָבן געלערנט אין Arden און רידינג אוניווערסיטעטן.

לאָזן אַ ענטפער

דער פּלאַץ ניצט Akismet צו רעדוצירן ספּאַם. לערנען ווי דיין באַמערקונג דאַטן זענען פּראַסעסט.

צוריק צו שפּיץ קנעפּל