If you rely on a Microsoft Exchange server to handle email for your company, there is something you should be aware of. Recent research by security and analytics company Varonis has discovered that an affiliate of Hive ransomware has begun targeting Exchange servers that are vulnerable to ProxyShell security issues.

If the group in question finds a vulnerable server, they’ll install a variety of backdoors including Cobalt Strike beacon. That allows them to come back later and snoop around in your network for anything of value, steal administrator account credentials, make off with your company’s proprietary data, or encrypt your files and demand payment from you to get them back.

The exploited flaws are being tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31297. All 3 range in severity from 7.2 (high) to 9.8 (critical).

This group is hardly unique in exploiting these flaws.  They’ve been used by other hacker groups including Cuba, Babuk, BlackByte, Conti, and others.  The fact that the exploits seem to be growing in popularity among the hacking community is the most troubling aspect of the recent discovery.

Hive has been around since at least June of last year (2021) and the group has evolved considerably since they first appeared. That prompted the FBI to release a report detailing their activities and tactics to better prepare IT professionals for attacks the group might make against their organizations.

In October 2021, the Hive gang added Linus and Free BSD variants to their growing bank of tricks and they became one of the most active ransomware operations as measured by the frequency of their attacks.

Just last month, researchers operating out of Sentinel Labs discovered that the group is utilizing a new obfuscation technique in a bid to better mask the malicious payloads they introduce to infected networks.

All of this points to the fact that the Hive group is actively working to improve the efficiency and effectiveness of their attacks.  Stay vigilant and be on the alert for this group.  They’ve got a well deserved reputation for being dangerous.

Leave a Reply

Your email address will not be published.

You may use these <abbr title="HyperText Markup Language">HTML</abbr> tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*