A recent Hive ransomware attack carried out by an affiliate involved the exploitation of “ProxyShell” vulnerabilities in the Microsoft Exchange Server that was
ProxyShell — tracked as CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473 — involves a combination of security feature bypass, privilege escalation, and remote code execution in the Microsoft Exchange Server, effectively granting the attacker the ability to execute arbitrary code on affected servers.
The issues were addressed by Microsoft as part of its Patch Tuesday updates for April and May 2021.
In this case, successful exploitation of the flaws allowed the adversary to deploy web shells on the compromised server, using them to run malicious PowerShell code with SYSTEM privileges to create a new backdoor administrator user, hijack the domain admin account, and perform lateral movement.
The web shells used in the attack are said to have been sourced from a public git repository and given filenames containing a random mix of characters to evade detection, Ovadia said. Also executed was an additional obfuscated PowerShell script that’s part of the Cobalt Strike framework.
disclosed last year to encrypt an unnamed customer’s network.
“The actor managed to achieve its malicious goals and encrypt the environment in less than 72 hours from the initial compromise,” Varonis security researcher, Nadav Ovadia, said in a post-mortem analysis of the incident.
Hive, which was first observed in June 2021, follows the lucrative ransomware-as-a-service (RaaS) scheme adopted by other cybercriminal groups in recent years, enabling affiliates to deploy the file-encrypting malware after gaining a foothold into their victims’ networks. Read more: https://bit.ly/3MsooGh
You can also read this: Researchers Share In-Depth Analysis of PYSA Ransomware Group