A recently released report details how an affiliate of the Hive Ransomware-as-a-Service (RaaS) group was able to encrypt an environment in less than 72 hours from initial compromise. Hive is an affiliate-based ransomware variant used by threat actors and has been known to target healthcare facilities, nonprofits, and energy providers worldwide.
The threat actors started by exploiting the ProxyShell vulnerability, a well-known vulnerability in Microsoft Exchange Server that allows an attacker to execute arbitrary code. Once ProxyShell was exploited and a webshell was uploaded to the Exchange server, additional stagers were downloaded and executed from a remote C2 server. These stagers included Cobalt Strike beacons that were executed in memory on the system. This led to a new administrator user being created and credentials dumped using Mimikatz. The credentials dumped from Mimikatz included an NTLM password hash for a Domain Administrator, which was re-used in a pass-the-hash attack to take control of the account. From there, backups were deleted, security products were disabled, and Windows event logs were cleared before the final ransomware payload was delivered and executed on numerous systems.
Through the use of well-known vulnerabilities and tools, the threat actors behind this attack were able to quickly and efficiently compromise the environment at the highest level, allowing for a more damaging and widespread ransomware attack.
Analyst Notes
The initial infection vector for this attack was ProxyShell, a damaging set of vulnerabilities that Microsoft patched in 2021. For any organizations with Microsoft Exchange servers, it is highly recommended to verify that these patches are installed on all Exchange systems to prevent this vulnerability from being exploitable. Likewise, there are steps that can be taken to prevent the account hijacking technique used in this attack, specifically by using Microsoft LAPS for highly privileged accounts and blocking SMBv1 and using SMB signing to protect against pass-the-hash attacks. Finally, the techniques used by the threat actor, particularly around the discovery and persistence tactics utilized, can be detected and alerted upon with appropriate log monitoring. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.
https://thehackernews.com/2022/04/new-incident-report-reveals-how-hive.html
https://www.varonis.com/blog/hive-ransomware-analysis
