Ransomware targets organizations with ProxyShell exploit

THREAT LEVEL: Red.

For a detailed advisory, download the pdf file here

Hive Ransomware has been active since its discovery in June 2021, and it is constantly deploying different backdoors, including the Cobalt Strike beacon, on Microsoft Exchange servers that are vulnerable to ProxyShell (CVE-2021-31207, CVE-2021-34473 and CVE-2021-34523) security flaws. The threat actors then conduct network reconnaissance, obtain admin account credentials, and exfiltrate valuable data before deploying the file-encrypting payload.

Hive and their affiliates access their victims’ networks by a variety of methods, including phishing emails with malicious attachments, compromised VPN passwords, and exploiting weaknesses on external-facing assets. Furthermore, Hive leaves a plain-text ransom letter threatening to disclose the victim’s data on the TOR website ‘HiveLeaks‘ if the victim does not meet the attacker’s terms.

The Organizations can mitigate the risk by following the recommendations: •Use multi-factor authentication. •Keep all operating systems and software up to date. •Remove unnecessary access to administrative shares. •Maintain offline backups of data and Ensure all backup data is encrypted and immutable. •Enable protected files in the Windows Operating System for critical files.

The MITRE ATT&CK TTPs used by Hive Ransomware are:

TA0001: Initial Access
TA0002: Execution
TA0003: Persistence
TA0004: Privilege Escalation
TA0005: Defense Evasion
TA0006: Credential Access
TA0007: Discovery
TA0008: Lateral Movement
TA0009: Collection
TA0011: Command and Control
TA0010: Exfiltration
TA0040: Impact
T1190: Exploit Public-Facing Application
T1566: Phishing
T1566.001: Spear-phishing attachment
T1106: Native API
T1204: User Execution
T1204.002: Malicious File
T1059: Command and Scripting Interpreter
T1059.001: PowerShell
T1059.003: Windows Command Shell
T1053: Scheduled Task/Job
T1053.005: Scheduled Task
T1047: Windows Management Instrument
T1136: Create Account
T1136.002: Domain Account
T1078: Valid Accounts
T1078.002: Domain Accounts
T1053: Boot or logon autostart execution
T1068: Exploitation for Privilege Escalation
T1140: Deobfuscate/Decode Files or Information
T1070: Indicator Removal on Host T1070.001: Clear Windows Event Logs
T1562: Impair Defenses
T1562.001: Disable or Modify Tools
T1003: OS Credential Dumping
T1003.005: Cached Domain Credentials|
T1018: Remote System Discovery
T1021: Remote Services
T1021.001: Remote Desktop Protocol
T1021.002: SMB/Windows admin shares
T1021.006: Windows Remote Management
T1083: File and directory discovery
T1057: Process discovery
T1063: Security software discovery
T1049: System Network Connections Discovery
T1135: Network Share Discovery
T1071: Application Layer Protocol
T1071.001: Web Protocols
T1570: Lateral tool transfer
1486: Data Encrypted for Impact
T1005: Data from local system
T1560: Archive Collected Data
T1560.001: Archive via Utility
T1105: Ingress Tool Transfer
T1567: Exfiltration over web service