Anatomy of a Hive Ransomware Attack on Exchange via ProxyShell

Sicherheit (Pexels, allgemeine Nutzung)[German]Often, the details of a ransomware infection remain obscure to outsiders. This week, I received a briefing from security services provider Varonis, whose security team has unraveled the course of an attack using the Hive ransomware. The Hive group operates as a ransomware-as-a-service provider and has been responsible for numerous attacks. In the current case, vulnerabilities in Exchange servers were exploited.


The Hive ransomware group

Hive is a ransomware-as-a-service used by cybercriminals, and has been discovered first in June 2021. The Hive ransomware is used  to attack healthcare facilities, non-profit organizations, retailers, utilities and other industries worldwide. In Germany, the attack on Media Markt/Saturn was carried out by this group (Media Markt/Saturn: Ransomware attack by hive gang, $240 million US ransom demand).

For the most part, common ransomware tactics, techniques and procedures (TTPs) are used to compromise victims' devices. For example, phishing emails with malicious attachments, stolen VPN credentials, and vulnerabilities, among others, are used to penetrate target systems. 

Group's actions observed

During a deployment to a customer, Varonis' forensics team investigated such an attack and was able to document the cybercriminals' actions.

Phase 1: ProxyShell and WebShell

First, the attackers exploited known (but unpatched) ProxyShell vulnerabilities of Exchange servers to place a malicious backdoor script (web shell) in a publicly accessible directory on the Exchange server. These webscripts could then execute malicious PowerShell code through the compromised server with SYSTEM privileges.

Phase 2: Cobalt Strike

The malicious PowerShell code downloaded additional stagers from a remote Command & Control server connected to the Cobalt Strike framework. The stagers were not written to the file system, but executed in memory.


Phase 3: Mimikatz and Pass-The-Hash

Exploiting SYSTEM permissions, the attackers created a new system administrator named "user" and proceeded to the credential dump phase, where they used Mimikatz. Using its "logonPasswords" module, they were able to extract the passwords and NTLM hashes of the accounts logged into the system and save the results to a text file on the local system. Once the attackers had the administrator's NTLM hash, they used the pass-the-hash technique to gain highly privileged access to other resources on the network. 

Phase 4: Search for sensitive information

Next, the attackers conducted extensive reconnaissance activities throughout the network. In addition to searching for files containing "password" in their names, they also used network scanners and captured the IP addresses and device names of the network, followed by RDPs to backup servers and other important resources.

Phase 5: Ransomware deployment

Finally, a custom malware payload written in Golang, named Windows.exe, was distributed and executed on various devices. Several operations were performed in the process, such as deleting shadow copies, disabling security products, deleting Windows event logs and removing access rights. In this way, a smooth and far-reaching encryption process was ensured. A ransomware demand note was also created during the encryption phase.

The anatomy of this attack shows that in the beginning, failures on the customer's side enabled the attack because the ProxyShell vulnerability in Exchange Server was not closed.

Enterprises should act

Ransomware attacks have increased significantly in recent years and remain the preferred method of financially motivated cybercriminals. The impact of an attack can be devastating: it can damage a company's reputation, cause lasting disruption to regular operations, and lead to a temporary, and possibly permanent, loss of sensitive data, as well as hefty fines under the GDPR.

Although detecting and responding to such incidents can be challenging, most malicious activity can be prevented if the right security tools and incident response plans are in place and patches for known vulnerabilities have been applied. As a result, the Varonis forensics team recommends the following actions:

  • Update the Exchange server to the latest Exchange cumulative updates (CU) and security updates (SU) provided by Microsoft.
  • Enforce the use of complex passwords and require users to change their passwords regularly.
  • Use Microsoft LAPS -to revoke local admin privileges from domain accounts (least privilege approach). Regularly check for inactive user accounts and remove them.
  • Block the use of SMBv1 and use SMB signing to protect against pass-the-hash attacks. .
  • Limit employee access rights to files they actually need to do their jobs.
  • Automatically detect and prevent access control changes that violate your policies.
  • Train your employees on cybersecurity principles. Regular awareness training must be a fundamental part of your company's culture.
  • Establish basic security practices and rules of conduct that describe how to handle and protect company and customer information and other important data.

These are actually rules that I have already addressed here on the blog in a similar form – especially the topic of patching in relation to Exchange came up often enough (see links below)

Similar articles:
Babuk gang uses ProxyShell vulnerability in Exchange for ransomware attacks
ProxyShell, Squirrelwaffle and a new PoC Exploit, patch your Exchange Server!
Exchange and ProxyShell: News from Microsoft and security experts
ProxyShell, ProxyLogon and Microsoft's contradictious Exchange doc for virus scan exceptions
Wave of attacks, almost 2,000 Exchange servers hacked via ProxyShell
Attacks on Exchange Server via ProxyShell vulnerability (8/13/2021)
Exchange Server: Update on ProxyShell vulnerabilities
ProxyNoShell: Mandiant warns of new attack methods on Exchange servers (Nov. 2021)

Cookies helps to fund this blog: Cookie settings


This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *