Read time: 3 minutes

Summary: Ransomware attacks, particularly by the Hive group, are on the rise, targeting Microsoft Exchange Servers. These attacks can disrupt business operations, cause data loss, and lead to legal and reputational damage. The Hive group exploits vulnerabilities like ProxyShell to compromise Exchange Servers. To protect your Exchange Server, keep it updated, consider upgrading to newer versions, and use tools like Kernel Exchange Backup & Restore for data backup and recovery.

Ransomware attacks are on the rise, with the Hive ransomware group posing a significant threat to businesses. The Hive group, first identified in June 2021, causes various forms of damage, including disruptions to business operations, data loss, reputational harm, and legal consequences. Notably, Microsoft Exchange Servers have become a recent target for affiliates of the Hive ransomware group. Forensic teams have discovered that these hackers often take less than 72 hours to achieve their malicious objectives and encrypt sensitive environments.

What is Microsoft Exchange Server?

Microsoft Exchange Server is a versatile platform that provides a range of features, including email, calendaring, contact management, and scheduling. Users can conveniently access this messaging platform from various devices, including mobile devices, desktop computers, and web-based systems, all through an Exchange server.

How is the Hive Ransomware group attacking Exchange Servers?

Within Microsoft Exchange Client Access Server (CAS), ProxyShell vulnerabilities are often accessible via the internet. This accessibility facilitates the Hive group in locating Exchange Servers with ProxyShell vulnerabilities, exploiting them, and subsequently compromising the organization’s network, servers, and devices. The ProxyShell vulnerabilities comprise a trio: CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473, which the attackers leverage to execute malicious code.

A variety of strategies and tactics are utilized to compromise Microsoft Exchange. Attackers often initiate by disabling anti-malware protections, subsequently using these vulnerabilities to encrypt business files. In addition, they employ alternative methods to compromise networks, including disseminating phishing emails with malicious attachments, exploiting leaked VPN credentials, and employing other sophisticated techniques.

Practices to protect Exchange Server from Hive Ransomware Attack

After conducting extensive research, forensic experts have determined that attackers frequently employ attack servers by targeting ProxyShell vulnerabilities and disabling security features. Users are advised to adhere to standard security practices to safeguard their Exchange Server from Hive ransomware groups.

Update the Server

Since there is no single, defined solution to safeguard against these threats, it’s essential to keep the server regularly updated with the latest patches and security updates. This practice helps fortify the server’s security posture.

Upgrade to the new version

If you are currently using an older version, such as Exchange Server 2010, we strongly advise considering an upgrade to either Exchange 2016 or 2019, depending on your preferences and requirements. It’s crucial to stay proactive in applying regular security updates to address vulnerabilities.

Protect Exchange Server from ProxyShell Attack

To assess the health of your Exchange Server, users should utilize the Microsoft Exchange Server Health Checker Script (HealthChecker.ps1). This script helps identify any issues that require patching or addressing.

  • Initiate by downloading HealthChecker.ps1. (Supported Version Exchange Server 2013, 2016, and 2019.)
  • Now open Exchange Management Shell and use the ‘cd ‘command to find the location of the HealthChecker.ps1 script.
  • Now run the command .\HealthChecker.ps1 to execute the HealthChecker.ps1 on the server.
  • Now generate HTML report using command .\HealthChecker.ps1 -BuildHtmlServersReport
  • Lastly, double-click the HTML file to open it in the web browser.
  • And here, check the Security Vulnerabilities section to find out where we need to update by following Security Update available for the Exchange Server version.
  • Note- Both the HTML report and HealthChecker.ps1 script are located at the same location.

Kernel Exchange Backup & Restore

Safeguarding our data from such threats can often be overlooked, leaving us unprepared when ransomware attacks strike. Retrieving data from the Exchange database after such an incident can be challenging. Therefore, it’s crucial to maintain regular backups. For this purpose, consider using the Kernel Exchange Backup & Restore tool, designed to back up Exchange mailboxes (on-premises, online, and hosted) to PST format. This tool offers advanced filters for selective data backup and can also assist in recovering EDB Public folders.

Conclusion

To protect your organization from Hive Ransomware affiliates and similar malicious attacks, it’s essential to implement the solutions discussed above. Additionally, it’s highly advisable to regularly back up your Exchange data using the mentioned tool.

Kernel Exchange Backup & Restore