Every couple of days there seems to be a news story about a major security issue with one Microsoft product, and today it seems Microsoft’s Exchange Server is at the center of another. Microsoft Exchange Server customers are being targeted by a wave of ransomware attacks led by Hive, a well-known ransomware-as-a-service (RaaS) platform that targets businesses and all kinds of organizations.
The attack exploits a set of vulnerabilities in Microsoft Exchange Server known as ProxyShell. This is a critical remote code execution vulnerability that allows attackers to remotely execute code on affected systems. Although the three vulnerabilities under the ProxyShell umbrella were patched in May 2021, it is well known that many companies do not update their software as often as they should. As such, various customers are affected, including one who spoke to the Varonis Forensics team, who first reported on these attacks.
After exploiting ProxyShell vulnerabilities, attackers place a backdoor web script on a public directory on the targeted Exchange server. This script then executes the desired malicious code, which then downloads additional transfer files from a command and control server and executes them. The attackers then create a new sysadmin and use Mimikatz to steal the NTLM hash, allowing them to take control of the system without knowing anyone’s passwords through a pass-the-hash technique.
With everything in place, bad actors start scanning the entire network for sensitive and potentially important files. Finally, a custom payload – a file misleadingly called Windows.exe – is created and deployed to encrypt all data, as well as clear event logs, delete shadow copies, and disable other security solutions so that they are not detected. After all data is encrypted, the payload displays a warning to users asking them to pay to recover their data and keep it safe.
The way Hive works is that it doesn’t just encrypt data and demand a ransom to return it. The group also operates a website accessible through the Tor browser, where companies’ sensitive data can be shared if they don’t agree to pay. This creates additional urgency for victims who want important data to remain confidential.
According to the report by the Varonis Forensics team, it took less than 72 hours from the initial exploitation of the Microsoft Exchange Server vulnerability to the attackers finally achieving the desired objective, in one particular case.
If your organization relies on Microsoft Exchange Server, you need to ensure that the latest patches are installed in order to stay protected against this wave of ransomware attacks. It’s generally a good idea to stay as up-to-date as possible since vulnerabilities are often revealed after patches are released, leaving outdated systems in full view of attackers.
Via: ZD Net