Experts warn that Hive ransomware gang can detect unpatched servers

The Hive threat group has been targeting organizations in the finance, energy and healthcare sectors in coordinated ransomware attacks since June 2021.

During attacks, the group exploits ProxyShell vulnerabilities in MSFT Exchange servers to remotely execute arbitrary commands and encrypt corporate data with this unique strain of ransomware.

The group is highly organized, with the Varonis research team having recently discovered that a malicious actor was able to penetrate an organization’s environment and encrypt target data with the ransomware strain in less than 72 hours.

These attacks are of particular concern because unpatched exchange servers are publicly detectable via web crawlers. “Anyone with an unpatched exchange server is at risk,” said Gartner analyst Peter Firstbrook.

“Even organizations that have migrated to the cloud version of Exchange often still have on-premises Exchange servers that could be exploited if left unpatched. There are already threats in circulation and unpatched servers can be detected with a web crawler, so it is very likely that unpatched servers will be exploited,” Firstbrook added.

How risky is ProxyShell?

Despite the significance of these vulnerabilities, many organizations have failed to patch their on-premises Exchange servers (these vulnerabilities do not affect online Exchange servers or Office 365).

Last year, Mandiant reported that approximately 30,000 Exchange servers remained unpatched, and recent attacks show that many organizations have been slow to update their systems.

This is problematic given that the vulnerabilities allow an attacker to remotely execute arbitrary commands and malicious code on Microsoft Exchange Server through port 443.

“Attackers continue to exploit ProxyShell vulnerabilities that were initially disclosed over eight months ago. They have proven to be a reliable resource for attackers since their disclosure, despite the availability of patches,” Claire Tills said. , senior research engineer at Tenable.

“The latest attacks from a subsidiary of the Hive ransomware group are made possible by the ubiquity of Microsoft Exchange and the apparent delays in patching these months-old vulnerabilities. Organizations around the world in various industries are using Microsoft Exchange to critical business functions, making them an ideal target for threat actors.

According to Tills, organizations that fail to patch their exchange servers allow attackers to reduce the amount of reconnaissance and immediate action they need to take to infiltrate target systems.

Detect ProxyShell intrusions

Organizations that are slow to patch, such as less mature or understaffed IT organizations, may fall into the trap of thinking just because there are no obvious signs of intrusion that no one has used ProxyShell to catch. foot in the environment – but this is not the case. t always the case.

Firstbrook notes that while “Ransomware attacks will be obvious to organizations when they occur, however, there are many other attack techniques that [be] much stealthier, so lack of ransomware doesn’t mean the Exchange server isn’t already compromised.

It’s for this reason that Brian Donohue, Senior Information Security Specialist at Red Canary, recommends that organizations ensure they can detect the execution of Cobalt Strike or Mimikatz, even if they cannot. not update Exchange.

“Having broad defense in depth against a wide range of threats means that even if you can’t patch your Exchange servers or the adversary uses an entirely new trade craft in parts of the attack, you can still catch the Mimikatz activity, or you might get an alert that searches for the heavily obfuscated PowerShell used by Cobalt Strike – all of this happens before anything is encrypted,” Donohue said.

In other words, organizations that haven’t patched vulnerabilities can still protect themselves by using managed detection and response and other security solutions to detect malicious activity that occurs before ransomware encryption, so that they can react before it is too late.

VentureBeat’s mission is to be a digital public square for technical decision makers to learn about transformative enterprise technology and conduct transactions. Learn more about membership.

Comments are closed.