Security News > 2022 > April > Hive ransomware affiliate zeros in on Exchange servers

Hive ransomware affiliate zeros in on Exchange servers
2022-04-22 16:00

An affiliate of the aggressive Hive ransomware group is exploiting known vulnerabilities in Microsoft Exchange servers to encrypt and exfiltrate data and threaten to publicly disclose the information if the ransom isn't paid.

In a recent attack on an unnamed organization, the Hive affiliate rapidly compromised multiple devices and file servers by exploiting the ProxyShell vulnerabilities in Exchange servers, encrypting the data within 72 hours of the start of the attack, threat hunters with data security vendor Varonis Systems said in a report this week.

In another report last year, cybersecurity company Group-IB attributed 335 ransomware attacks to Hive or Hive affiliates.

Microsoft patched the flaws - tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 - a year ago, but not all organizations updated their Exchange Servers.

"We strongly believe that these actions were performed to confirm the ability to access the critical servers before the ransomware deployment."

The threat hunters said enterprises can take various steps to better protect themselves against such attacks, including updating Exchange servers with the latest Exchange cumulative and security patches from Microsoft, using complex passwords and ensuring users change passwords periodically, revoke local administrative permissions from domain accounts and remove inactive user accounts.


News URL

https://go.theregister.com/feed/www.theregister.com/2022/04/22/hive_ransomware_microsoft_exchange/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-07-14 CVE-2021-34523 Improper Authentication vulnerability in Microsoft Exchange Server 2013/2016/2019
Microsoft Exchange Server Elevation of Privilege Vulnerability
local
low complexity
microsoft CWE-287
critical
9.0
2021-07-14 CVE-2021-34473 Server-Side Request Forgery (SSRF) vulnerability in Microsoft Exchange Server 2013/2016/2019
Microsoft Exchange Server Remote Code Execution Vulnerability
network
low complexity
microsoft CWE-918
critical
9.1
2021-05-11 CVE-2021-31207 Unrestricted Upload of File with Dangerous Type vulnerability in Microsoft Exchange Server 2013/2016/2019
Microsoft Exchange Server Security Feature Bypass Vulnerability
network
high complexity
microsoft CWE-434
6.6