Microsoft Exchange Server users are being targeted by Hive ransomware attack


Every other day, it seems like there’s a news story about some major security issue on a Microsoft product, and today, it seems like Microsoft’s Exchange Server is at the center of another one. Microsoft Exchange Server customers are being targeted by a wave of ransomware attacks carried out by Hive, a well-known ransomware-as-a-service (RaaS) platform that targets businesses and all kinds of organizations.

The attack leverages a set of vulnerabilities in Microsoft Exchange Server known as ProxyShell. This is a critical remote code execution vulnerability that allows attackers to run code on affected systems remotely. While the three vulnerabilities under the ProxyShell umbrella were patched as of May 2021, it’s well-known that many businesses don’t update their software as often as they should. As such, various customers are being affected, including one who spoke to the Varonis Forensics Team, who first reported on these attacks.

Once having exploited the ProxyShell vulnerabilities, the attackers plant a backdoor web script on a public directory on the targeted Exchange server. This script then runs the desired malicious code, which then downloads additional stager files from a command and control server and executed them. The attackers then create a new system administrator and use Mimikatz to steal the NTLM hash, which allows them to take control of the system without knowing anyone’s passwords through a pass-the-hash technique.

With everything in place, the ill-intended actors start scanning the entire network for sensitive and potentially important files. Finally, a custom payload – a file deceptively called Windows.exe – is created and deployed to encrypt all of the data, as well as clear event logs, delete shadow copies, and disable other security solutions so it remains undetected. Once all the data is encrypted, the payload displays a warning to users urging them to pay up to get their data back and keep it safe.

The way that Hive operates is that it doesn’t just encrypt data and ask for a ransom to give it back. The group also operates a website accessible via the Tor browser, where companies’ sensitive data can be shared if they don’t agree to pay up. That creates an additional urgency for victims that want important data to remain confidential.

According to the Varonis Forensics Team’s report, it took under 72 hours from the initial exploitation of the Microsoft Exchange Server vulnerability to the attackers ultimately getting to their desired goal, in one particular case.

If your organization relies on Microsoft Exchange Server, you’ll want to make sure you have the latest patches installed in order to stay protected from this wave of ransomware attacks. It’s generally a good idea to stay as up-to-date as possible considering vulnerabilities are often revealed after patches have been issued, leaving out-of-date systems out in the open for attackers to target.