The Hive threat group is targeting vulnerable Microsoft Exchange Servers to deploy ransomware.
First spotted in June 2021, Hive is a Ransomware-as-a-Service (RaaS) model in which cyberattackers can utilize the Hive ransomware strain in attacks.
The threat actors operate a leak site, accessible via a .onion address, which aims to 'name and shame' ransomware victims. Additionally, the malware operators practice double-extortion, in which sensitive corporate data is stolen from a victim organization before disk encryption.
If a victim refuses to pay for a decryption key, the cyberattackers will plaster their name across the leak site and set a timer before the data is leaked. This piles on the pressure and gives the attackers more opportunities for extortion.
Hive's past victims include non-profit entities, the energy sector, financial companies, and healthcare providers.
"While some ransomware groups operating as RaaS networks claim to steer clear of targeting specific sectors such as hospitals or other critical industries to avoid causing harm to people, Hive's attacks against healthcare providers in 2021 showed that the operators behind it have no regard for such humanitarian considerations," Trend Micro said in a March 2022 investigation of the group.
The FBI issued an alert on Hive activity in August 2021, followed by the HHS this April (.PDF), who cautioned that the RaaS outfit is an "exceptionally aggressive, financially-motivated ransomware group."
In new research published on April 19 by the Varonis Forensics Team, a recent ransomware incident has allowed the company to examine the group's tactics and procedures in depth.
An unnamed customer's networks were infiltrated, and the attack was complete in 72 hours.
The intrusion began with the exploitation of ProxyShell, a set of critical vulnerabilities in the Microsoft Exchange Server patched by the vendor in 2021. The security flaws could lead to the remote, full compromise of Exchange servers.
Once exploited, a webshell backdoor is executed to maintain persistence and grant the attack group a path into the server to deploy Powershell code with SYSTEM-level privileges.
Hive launches a Cobalt Strike beacon in the next step and creates a new administrator user account. Mimikatz comes into play, and the domain Administrator NTLM hash is stolen.
"By stealing the domain Administrator NTLM hash and without needing to crack the password, the operator managed to reuse it via Pass-The-Hash attack and take control of the domain admin account," the researchers say.
Pass-The-Hash techniques can dupe a target system into launching authenticated sessions on a network without requiring a password crack.
Hive will then perform reconnaissance on the server, collect information, and deploy the ransomware payload.
The Go-based Hive ransomware payload, buried in a file called "windows.exe," will encrypt files, delete shadow copies, disable security solutions, and clear Windows event logs. The malware will also try to disable the Windows Security Accounts Manager (SAM) to stop alerts from being sent to SIEM.
Once encryption is complete, Hive posts a ransomware note, telling its victim that all data is encrypted and files have been stolen.
Hive then urges its victim to contact the "sales department" at a .onion address accessible via the Tor network to gain an encryption key and stop "personal data, financial reports, and important documents" from being leaked online.
Hive then provides instructions and a set of 'guidelines' for organizations to follow, including:
"Ransomware attacks have grown significantly over the past years and remain the preferred method of threat actors aiming to maximize profits," the researchers say. "The impact of an attack can be detrimental. It may potentially harm an organization's reputation, disrupt regular operations and lead to temporary, and possibly permanent, loss of sensitive data."
Varonis recommends that system administrators make sure their Exchange servers have been patched. Admins may also wish to enforce frequent password rotations, block SMBv1, and use SMB signing.
It is also recommended that organizations consider zero-trust models to restrict employee account privileges to only access the resources they need in their roles, thereby reducing the potential attack surface if the account is compromised.
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0