A Hive ransomware affiliate has been deploying several backdoors, including the Cobalt Strike beacon, on Microsoft Exchange servers vulnerable to ProxyShell security problems. The threat actors then conduct network reconnaissance, obtain admin account credentials, exfiltrate sensitive data, and finally install the file-encrypting payload. The information comes from Varonis, a security and analytics firm brought in to examine a ransomware attack on one of its clients.
ProxyShell is a group of three vulnerabilities in the Microsoft Exchange Server that allow remote code execution on susceptible deployments without authentication. After vulnerabilities were public, many threat actors exploited the holes, including ransomware like Conti, BlackByte, Babuk, Cuba, and LockFile. CVE-2021-34473, CVE-2021-34523, and CVE-2021-31297 are the defects’ names, and their severity ratings vary from 7.2 (high) to 9.8 (critical).
Although the security flaws were regarded fully addressed as of May 2021, critical technical details about them were first released in August 2021, and hostile exploitation began soon after. Hive’s affiliate successfully abused ProxyShell in a recent assault, demonstrating that there is still an opportunity for targeting vulnerable servers.
The hackers used ProxyShell to plant four web shells in an accessible Exchange directory, then ran PowerShell scripts with high privileges to download Cobalt Strike stagers. The web shells exploited in this attack were obtained from a public Git repository and were simply renamed to avoid detection during human inspections. The hackers then deployed Mimikatz, a credential stealer, to steal the password of a domain admin account and undertake lateral movement, gaining access to more network assets. The threat actors then conducted intensive file search operations to discover the most valuable material to compel the victim to pay a higher ransom.
Dropped network scanners, device and directory enumerations, IP address lists, SQL database scans, RDPs to backup servers, and more have been discovered by Varonis researchers. “SoftPerfect,” a lightweight application that the threat actor used to enumerate live hosts by pinging them and recording the data to a text file, was one famous incidence of network scanning software misuse. Finally, a ransomware payload dubbed “Windows.exe” was dumped and run on many computers after all files had been exfiltrated.
The Golang payload deactivated Windows Defender, wiped Windows event logs, halted file-binding programs, and paused the Security Accounts Manager to silence alarms before encrypting the organization’s contents. Hive has come a long way since it was first discovered in the wild in June 2021, and it has had such a good start that the FBI has released a study on its techniques and signs of compromise.