Security News > 2022 > April > Hive ransomware affiliate zeros in on Exchange servers

An affiliate of the aggressive Hive ransomware group is exploiting known vulnerabilities in Microsoft Exchange servers to encrypt and exfiltrate data and threaten to publicly disclose the information if the ransom isn't paid.

In a recent attack on an unnamed organization, the Hive affiliate rapidly compromised multiple devices and file servers by exploiting the ProxyShell vulnerabilities in Exchange servers, encrypting the data within 72 hours of the start of the attack, threat hunters with data security vendor Varonis Systems said in a report this week.

In another report last year, cybersecurity company Group-IB attributed 335 ransomware attacks to Hive or Hive affiliates.

Microsoft patched the flaws - tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 - a year ago, but not all organizations updated their Exchange Servers.

"We strongly believe that these actions were performed to confirm the ability to access the critical servers before the ransomware deployment."

The threat hunters said enterprises can take various steps to better protect themselves against such attacks, including updating Exchange servers with the latest Exchange cumulative and security patches from Microsoft, using complex passwords and ensuring users change passwords periodically, revoke local administrative permissions from domain accounts and remove inactive user accounts.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/04/22/hive_ransomware_microsoft_exchange/