Hive ransomware used to attack Exchange Server

Share on facebook
Share on twitter
Share on linkedin
Share on reddit

Hive ransomware used to attack Exchange Server

Hackers affiliated with Hive try to penetrate Microsoft Exchange Servers by building in a so-called backdoor. Once inside, they explore their victim’s computer network and steal system administrator credentials. They also collect confidential data and install malware.

This is apparent from an analysis by Varonis. The cybersecurity company has been approached by a party that has been the victim of a ransomware attack.

Critical Vulnerabilities

According to the security company, the hackers are targeting companies with Microsoft Exchange Server that have security issues with ProxyShell. ProxyShell is the name for three vulnerabilities in Microsoft Exchange Server that allow attackers to execute arbitrary code without remote authentication. This is also known as Remote Code Execution or RCE. Hacker groups such as Conti, BlackByte, Babuk and LockFile have abused this in the past.

The vulnerabilities are classified as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31297. On a scale of 1 to 10, with 10 being a critical vulnerability, the exploits score between 7.2 (high) to 9.8 (critical).

This is how the perpetrators worked

The hackers installed four web shells in an Exchange directory. Then they ran a PowerShell code that brought in Cobalt Strike. Using malware called Mimikatz, the perpetrators stole the password of a system administrator. The hackers misused his credentials to explore the network.

According to Varonis, the attackers used network scanners to retrieve valuable data. With this they wanted to extort the victim and demand a higher ransom amount. After the data was collected, a ransomware payload called ‘windows.exe’ was executed on multiple computers. Among other things, this disabled

Read more

Explore the site

More from the blog

Latest News