search
HomeCommon ProblemMicrosoft Exchange Server attacked by Hive's 'windows.exe” ransomware

Microsoft Exchange Server attacked by Hive's 'windows.exe” ransomware

While keeping software updated and only downloading files from trusted sources are standard cybersecurity practices, given the recent rise in malware attacks, it’s clear that more is needed in this regard educate. To that end, the Varonis forensics team has provided some guidance on how attackers using Hive ransomware are targeting Microsoft Exchange Server in their latest series of attacks. For those who don’t know, Hive follows a ransomware-as-a-service model.

While Microsoft patched Exchange Server for known vulnerabilities in 2021 and most organizations have updated, some have not. Hive now targets these vulnerable server instances via a ProxyShell vulnerability to gain SYSTEM privileges. The PowerShell script then starts Cobalt Strike and creates a new sysadmin account named "user".

After this, Mimikatz was used to steal the domain administrator's NTLM hash and gain control of the account. After a successful compromise, Hive performs some discovery where it deploys a network scanner to store IP addresses, scans files that contain "password" in their file names, and attempts to RDP into the backup server to access sensitive assets.

Finally, the custom malware payload is deployed and executed via a "windows.exe" file, which steals and encrypts files, deletes shadow copies, clears event logs, and disables security mechanisms. Ransomware instructions are then displayed asking the group to contact Hive's "sales department" hosted on a .onion address accessible through the Tor network. The following instructions have also been provided to infected organizations:

  • Do not modify, rename, or delete *.key. document. Your data will not be able to be decrypted.
  • Do not modify or rename encrypted files. You will lose them.
  • Do not report to the police, FBI, etc. They don't care about your business. They don't allow you to pay at all. As a result you will lose everything.
  • Don’t hire a recovery company. They cannot decrypt without the key. They don't care about your business either. They believe they are good negotiators, but they are not. They usually fail. So speak for yourself.
  • Don't refuse (sic) the purchase. Leaked documents will be publicly disclosed.

The last point is certainly interesting because if Hive had not been paid, their information would have been published on the "HiveLeaks" Tor website. A countdown is displayed on the same website to force victims to pay.

The security team noted that in one instance, the attackers managed to encrypt the environment within 72 hours of the initial breach. Therefore, it recommends that organizations immediately patch Exchange servers, regularly rotate complex passwords, block SMBv1, restrict access where possible, and train employees in the area of ​​cybersecurity.

The above is the detailed content of Microsoft Exchange Server attacked by Hive's 'windows.exe” ransomware. For more information, please follow other related articles on the PHP Chinese website!

Statement
This article is reproduced at:云东方. If there is any infringement, please contact admin@php.cn delete

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

Video Face Swap

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Tools

MantisBT

MantisBT

Mantis is an easy-to-deploy web-based defect tracking tool designed to aid in product defect tracking. It requires PHP, MySQL and a web server. Check out our demo and hosting services.

Dreamweaver Mac version

Dreamweaver Mac version

Visual web development tools

SublimeText3 Mac version

SublimeText3 Mac version

God-level code editing software (SublimeText3)

PhpStorm Mac version

PhpStorm Mac version

The latest (2018.2.1) professional PHP integrated development tool

WebStorm Mac version

WebStorm Mac version

Useful JavaScript development tools