A Hive ransomware affiliate has targeted Microsoft Exchange servers vulnerable to ProxyShell security issues to deploy various backdoors including the Cobalt Strike beacon.
From there, threat actors perform network reconnaissance, steal administrator account credentials, exfiltrate valuable data, ultimately deploying the file encryption payload.
Details are from the security and analytics firm Varoniswho was called in to investigate a ransomware attack against one of his clients.
Widely abused initial access
ProxyShell is a set of three vulnerabilities in Microsoft Exchange Server that allow remote code execution without authentication on vulnerable deployments. The flaws were used by multiple threat actors, including ransomware like Conti, BlackByte, Babuk, Cuba, and LockFile, after the exploits became available.
The flaws are tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31297, and their severity rating ranges from 7.2 (high) to 9.8 (critical).
The security vulnerabilities are considered fully fixed as of May 2021, but detailed technical details about them were not made available until August 2021, and shortly thereafter malicious exploitation began. [1, 2].
The fact that the Hive affiliate successfully exploited ProxyShell in a recent attack shows that it is still possible to target vulnerable servers.
From access to encryption
Following the ProxyShell exploit, hackers planted four web shells in an accessible Exchange directory and executed PowerShell code with elevated privileges to download Cobalt Strike stagers.
The web shells used in this particular attack came from a public Git repository and have simply been renamed to evade detection during possible manual inspections.
From there, the intruders used Mimikatz, a credential stealer, to snatch the password of a domain administrator account and perform a sideways move, gaining access to more assets on the network. .
Then the threat actors performed deep file search operations to locate the most valuable data to pressure the victim to pay a bigger ransom.
Varonis analysts saw remnants of derelict network analyzers, IP address lists, device and directory enumerations, RDP to backup servers, SQL database scans, and more.
A notable case of abuse of network scanning software was “SoftPerfect”, a lightweight tool that the threat actor used to enumerate live hosts by pinging them and saving the results to a text file.
Finally, and after all files were exfiltrated, a ransomware payload named “Windows.exe” was dropped and executed on multiple devices.
Before encrypting organization files, the Golang payload deleted shadow copies, disabled Windows Defender, cleared Windows event logs, killed file link processes, and stopped the Security Accounts Manager to neutralize alerts.
Evolution of the hive
Hive has come a long way since it was first observed in the wild in June 2021, with a successful start that prompted the FBI to release a dedicated report on its tactics and indicators of compromise.
In October 2021, the Hive gang added Linux and FreeBSD variants, and in December it became one of the most active ransomware operations in terms of attack frequency.
Last month, researchers at Sentinel Labs reported on a new payload obfuscation method employed by Hive, indicating active development.