Vulnerability in Microsoft Exchange Servers is allowing hackers to deploy hive ransomware and other backdoors, including Cobalt Strike Beacon, having capabilities of stealing cryptocurrency from wallets and deploy crypto mining software.
It is all happening because of ProxyShell Security issues where threat actors perform network reconnaissance to download payloads.
Security analytics firm Varonis discovered the details of hive ransomware being deployed on Microsoft Exchange Servers after one of its customers asked it to do so. Researchers discovered that the notorious gang of cyber criminals were planting 4 web shells in an accessible Exchange Directory and executed PowerShell codes to evade detection from threat monitoring solutions. Out of 4, 3 web shells were sourced from public GIT Repository and 1 was sources from wild.
Previously, threat actors from Conti, BlackByte, Babuk, Cuba and Lockfile used the ProxyShell vulnerability to steal info from its customers and lock down their database thereafter with encryption.
In May 2021, Microsoft issued fixes to all the newly founded vulnerabilities and issued patches on an immediate note. But as per the new detection by Varonis, Hive ransomware gang is again seen exploiting flaws tracked as CVE-2021-344473, CVE-2021-34523 and CVE-2021-31297 having severity scores between 8.3(High) to 9.8 (Critical).
Note- Since its first detection by the FBI in June 2021, Hive has emerged as the most active ransomware in attack frequency. Thus, CISA, in association with the Federal Bureau of Investigation (FBI) issued a dedicated report last year on tactics and indicators of Hive Ransomware compromise.