Security News > 2022 > April > Microsoft Exchange servers hacked to deploy Hive ransomware
A Hive ransomware affiliate has been targeting Microsoft Exchange servers vulnerable to ProxyShell security issues to deploy various backdoors, including Cobalt Strike beacon.
From there, the threat actors perform network reconnaissance, steal admin account credentials, exfiltrate valuable data, ultimately deploying the file-encrypting payload. The details come from security and analytics company Varonis, who was called in to investigate a ransomware attack on one of its customers.
ProxyShell is a set of three vulnerabilities in the Microsoft Exchange Server that allow remote code execution without authentication on vulnerable deployments.
The flaws have been used by multiple threat actors, including ransomware like Conti, BlackByte, Babuk, Cuba, and LockFile, after exploits became available.
The security vulnerabilities are considered fully patched as of May 2021, but extensive technical details about them were only made available in August 2021, and soon after that, malicious exploitation started [1, 2]. The fact that Hive's affiliate was successful in exploiting ProxyShell in a recent attack shows that there is still room for targeting vulnerable servers.
In October 2021, the Hive gang added Linux and FreeBSD variants, and in December it became one of the most active ransomware operations in attack frequency.
News URL
Related news
- ScreenConnect servers hacked in LockBit ransomware attacks (source)
- 17,000+ Microsoft Exchange servers in Germany are vulnerable to attack, BSI warns (source)
- Germany warns of 17K vulnerable Microsoft Exchange servers exposed online (source)
- These 17,000 unpatched Microsoft Exchange servers are a ticking time bomb (source)
- Interpol's latest cybercrime intervention dismantles ransomware, banking malware servers (source)
- Microsoft is bringing the Linux sudo command to Windows Server (source)
- US offers $10 million for tips on Hive ransomware leadership (source)
- Uncle Sam sweetens the pot with $15M bounty on Hive ransomware gang members (source)
- Microsoft: Outlook clients not syncing over Exchange ActiveSync (source)
- U.S. Offers $10 Million Bounty for Info Leading to Arrest of Hive Ransomware Leaders (source)