• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
new incident report reveals how hive ransomware targets organizations

New Incident Report Reveals How Hive Ransomware Targets Organizations

You are here: Home / General Cyber Security News / New Incident Report Reveals How Hive Ransomware Targets Organizations
April 21, 2022

A recent Hive ransomware attack carried out by an affiliate involved the exploitation of “ProxyShell” vulnerabilities in the Microsoft Exchange Server that were disclosed last year to encrypt an unnamed customer’s network.

“The actor managed to achieve its malicious goals and encrypt the environment in less than 72 hours from the initial compromise,” Varonis security researcher, Nadav Ovadia, said in a post-mortem analysis of the incident.

Hive, which was first observed in June 2021, follows the lucrative ransomware-as-a-service (RaaS) scheme adopted by other cybercriminal groups in recent years, enabling affiliates to deploy the file-encrypting malware after gaining a foothold into their victims’ networks.

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount


CyberSecurity

ProxyShell — tracked as CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473 — involves a combination of security feature bypass, privilege escalation, and remote code execution in the Microsoft Exchange Server, effectively granting the attacker the ability to execute arbitrary code on affected servers.

The issues were addressed by Microsoft as part of its Patch Tuesday updates for April and May 2021.

In this case, successful exploitation of the flaws allowed the adversary to deploy web shells on the compromised server, using them to run malicious PowerShell code with SYSTEM privileges to create a new backdoor administrator user, hijack the domain admin account, and perform lateral movement.

Hive Ransomware

The web shells used in the attack are said to have been sourced from a public git repository and given filenames containing a random mix of characters to evade detection, Ovadia said. Also executed was an additional obfuscated PowerShell script that’s part of the Cobalt Strike framework.

CyberSecurity

From there, the threat actor moved to scan the network for valuable files, before proceeding to deploy the Golang ransomware executable (named “Windows.exe”) to complete the encryption process and display the ransom note to the victim.

Other operations carried out by the malware include deleting shadow copies, turning off security products, and clearing Windows event logs to avoid detection, prevent recovery, and ensure that the encryption happens without any hiccup.

If anything, the findings are yet another indicator that patching for known vulnerabilities is key to thwarting cyberattacks and other nefarious activities.

“Ransomware attacks have grown significantly over the past years and remain the preferred method of threat actors aiming to maximize profits,” Ovadia said. “It may potentially harm an organization’s reputation, disrupt regular operations and lead to temporary, and possibly permanent, loss of sensitive data.”

Found this article interesting? Follow THN on Facebook, Twitter  and LinkedIn to read more exclusive content we post.


Some parts of this article are sourced from:
thehackernews.com

Previous Post: «revil ransomware group's infrastructure comes back online hinting at fresh REvil ransomware group’s infrastructure comes back online hinting at fresh campaign
Next Post: Critical Chipset Bugs Open Millions of Android Devices to Remote Spying critical chipset bugs open millions of android devices to remote»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Blind Eagle Hacking Group Targets South America With New Tools
  • US Family Planning Non-Profit MFHS Confirms Ransomware Attack
  • Microsoft Reveals Tactics Used by 4 Ransomware Families Targeting macOS
  • Dridex Malware Now Attacking macOS Systems with Novel Infection Method
  • Cyber attacks on UK organisations surged 77% in 2022, new research finds
  • WhatsApp to combat internet blackouts with proxy server support
  • The IT Pro Podcast: Going passwordless
  • Podcast transcript: Going passwordless
  • UK Schools Hit by Mass Leak of Confidential Data
  • Play ransomware gang behind recent cyber attack on Rackspace

Copyright © TheCyberSecurity.News, All Rights Reserved.