[BreachExchange] Experts warn that Hive ransomware gang can detect unpatched servers

Tue Apr 26 08:50:15 EDT 2022

https://venturebeat.com/2022/04/25/experts-warn-that-hive-ransomware-attackers-can-detect-unpatched-servers/

The Hive threat group has been targeting organizations across the finance,
energy and healthcare sectors as part of coordinated ransomware attacks
since June 2021.

During the attacks, the group exploits ProxyShell vulnerabilities in MSFT
Exchange servers to remotely execute arbitrary commands and encrypt the
data of companies with this unique ransomware strain.

The group is highly organized, with the Varonis research team recently
discovering that a threat actor managed to enter an organization’s
environment and encrypt the target data with the ransomware strain in less
than 72 hours.

These attacks are particularly concerning, as unpatched exchange servers
are publicly discoverable via web crawlers. “Anyone with an unpatched
exchange server is at risk,” said Peter Firstbrook, a Gartner analyst.

“Even organizations that have migrated to the cloud version of Exchange
often still have some on-premises Exchange servers that could be exploited
if unpatched. There are circulating threats already and unpatched servers
can be detected with a web crawler, so it is highly likely that unpatched
servers will be exploited,” Firstbrook added.

How much of a risk does ProxyShell present?

Despite the significance of these vulnerabilities, many organizations have
failed to patch their on-premise Exchange servers (these vulnerabilities do
not affect Exchange online or Office 365 servers).

Last year, Mandiant reported that around 30,000 Exchange Servers remain
unpatched and recent attacks highlight that many organizations have been
slow to update their systems.

This is problematic given that the vulnerabilities enable an attacker to
remotely execute arbitrary commands and malicious code on Microsoft
Exchange Server through the 443 port.

“Attackers continue to exploit the ProxyShell vulnerabilities that were
initially disclosed more than eight months ago. They have proven to be a
reliable resource for attackers since their disclosure, despite patches
being available,” said Claire Tills, a senior research engineer at Tenable.

“The latest attacks by an affiliate of the Hive ransomware group are
enabled by the ubiquity of Microsoft Exchange and apparent delays in
patching these months-old vulnerabilities. Organizations around the world
in diverse sectors use Microsoft Exchange for critical business functions,
making it an ideal target for threat actors.”

According to Tills, organizations that fail to patch their exchange servers
enable attackers to reduce the amount of reconnaissance and immediate steps
they need to take to infiltrate target systems.

Detecting ProxyShell intrusions

Organizations that are slow to patch, such as less mature or short-staffed
IT organizations, can fall into the trap of thinking just because there’s
no obvious signs of intrusion that no one’s used ProxyShell to gain a
foothold in the environment — but this isn’t always the case.

Firstbrook notes that while “ransomware attacks will be obvious to
organizations when they happen, however there are lots of other attack
techniques that will [be] much stealthier, so the absence of ransomware
does not mean the Exchange server is not already compromised.”

It is for this reason that Brian Donohue, a principal information security
specialist at Red Canary, recommends that organizations ensure they can
detect the execution Cobalt Strike or Mimikatz, even if they can’t update
Exchange.

“Having broad defense in depth against a wide array of threats means that
even if you can’t patch your Exchange servers or the adversary is using
entirely novel trade craft in certain parts of the attack, you might still
catch the Mimikatz activity, or you might have an alert that looks for the
heavily obfuscated PowerShell that’s being used by Cobalt Strike — all of
which happens before anything gets encrypted,” Donohue said.

In other words, enterprises that haven’t patched the vulnerabilities can
still protect themselves by using managed detection and response and other
security solutions to detect malicious activity that comes before
ransomware encryption, so they can respond before it’s too late.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220426/1d794bf6/attachment.html>