Microsoft Exchange Server attacked by Hive’s “windows.exe” ransomware

While keeping software updated and only downloading files from trusted sources are standard cybersecurity practices, given the recent rise in malware attacks, it’s clear that more is needed in this regard educate. To that end, the Varonis forensics team has provided some guidance on how attackers using Hive ransomware are targeting Microsoft Exchange Server in their latest series of attacks. For those who don’t know, Hive follows a ransomware-as-a-service model.

While Microsoft patched Exchange Server for known vulnerabilities in 2021 and most organizations have updated, some have not. Hive now targets these vulnerable server instances via a ProxyShell vulnerability to gain SYSTEM privileges. The PowerShell script then starts Cobalt Strike and creates a new sysadmin account named "user".

After this, Mimikatz was used to steal the domain administrator's NTLM hash and gain control of the account. After a successful compromise, Hive performs some discovery where it deploys a network scanner to store IP addresses, scans files that contain "password" in their file names, and attempts to RDP into the backup server to access sensitive assets.

Finally, the custom malware payload is deployed and executed via a "windows.exe" file, which steals and encrypts files, deletes shadow copies, clears event logs, and disables security mechanisms. Ransomware instructions are then displayed asking the group to contact Hive's "sales department" hosted on a .onion address accessible through the Tor network. The following instructions have also been provided to infected organizations:

• Do not modify, rename, or delete *.key. document. Your data will not be able to be decrypted.
• Do not modify or rename encrypted files. You will lose them.
• Do not report to the police, FBI, etc. They don't care about your business. They don't allow you to pay at all. As a result you will lose everything.
• Don’t hire a recovery company. They cannot decrypt without the key. They don't care about your business either. They believe they are good negotiators, but they are not. They usually fail. So speak for yourself.
• Don't refuse (sic) the purchase. Leaked documents will be publicly disclosed.

The last point is certainly interesting because if Hive had not been paid, their information would have been published on the "HiveLeaks" Tor website. A countdown is displayed on the same website to force victims to pay.

The security team noted that in one instance, the attackers managed to encrypt the environment within 72 hours of the initial breach. Therefore, it recommends that organizations immediately patch Exchange servers, regularly rotate complex passwords, block SMBv1, restrict access where possible, and train employees in the area of ​​cybersecurity.

The above is the detailed content of Microsoft Exchange Server attacked by Hive’s “windows.exe” ransomware. For more information, please follow other related articles on the PHP Chinese website!