Read time: 3 minutes
In the present situation, ransomware attacks have increased. Hive ransomware is a group used to threaten and hack multiple file servers and devices of businesses. In June 2021, the Hive group came to light. The damages caused by it are in different ways, such as disturbances to business operations, data loss, reputational harm, and legal penalties. Currently, Microsoft Exchange Servers have become a target of an affiliate of the Hive ransomware group. According to a recent survey by the forensics teams, hackers usually take less than 72 hours to achieve their malicious goals and encrypt the environment.
Microsoft Exchange Server is a platform that offers multiple facilities like email, calendaring, contact, and scheduling. Users can access the messaging platform from mobile devices, desktops, and web-based systems using an Exchange server.
In Microsoft Exchange Client Access Server (CAS), ProxyShell vulnerabilities are usually exposed to the internet. And it makes it easier for the Hive group to identify or find Exchange Servers with ProxyShell vulnerabilities, exploit them, and compromise the organization’s network, servers, and devices. Here, ProxyShell is a set of three vulnerabilities, i.e., CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473 which they used to execute malicious code.
There are different kinds of strategies and procedures employed to compromise Microsoft
Exchange. They start by disabling anti-malware protections and then use them to encrypt business files. They also used to follow other mechanisms to compromise the networks, like phishing emails with malicious attachments, leaked VPN credentials, and even more.
After research, forensic advisors found that attackers usually used attack servers by targeting ProxyShell vulnerabilities and disabling the security features. Users can follow the regular practices to protect Exchange Server from Hive ransomware groups-
As there is no specific or defined solution to protect from such threats, keep the server updated with the latest updates. Users can also try installing regular security updates to strengthen the server’s security.
In case you’re using an older version, e.g., if a business is running Exchange Server 2010, we highly recommend upgrading to Exchange 2016 or 2019, whichever is convenient for you. And try to be updated with regular Security Updates and patch vulnerabilities.
To check Exchange Server Health, users need to use Microsoft Exchange Server Health Checker Script (HealthChecker.ps1) to identify the issues that need to patch.
Note- Both the HTML report and HealthChecker.ps1 script are located at the same location.
We often fail to protect our data from such attacks or threats because we are not prepared. It is difficult to access the Exchange database after ransomware attacks. Therefore, to deal with such a situation, always try to keep backup. And to back up Exchange (on-premises, online, and hosted) mailboxes to PST, try using Kernel Exchange Backup & Restore tool. This tool is programmed to back up mailboxes from the Exchange database and restore healthy PST files to Exchange mailboxes. It comes up with advanced filters, making it easier to back up the data selectively. Using this tool can be helpful in recovering EDB Public folders too.
To safeguard your organization against Hive Ransomware affiliates and other malicious attacks, you must be prepared with the above-discussed solutions. However, it is always recommended to back up your Exchange data with this tool.