Read time: 3 minutes
Ransomware attacks are on the rise, with the Hive ransomware group posing a significant threat to businesses. The Hive group, first identified in June 2021, causes various forms of damage, including disruptions to business operations, data loss, reputational harm, and legal consequences. Notably, Microsoft Exchange Servers have become a recent target for affiliates of the Hive ransomware group. Forensic teams have discovered that these hackers often take less than 72 hours to achieve their malicious objectives and encrypt sensitive environments.
Microsoft Exchange Server is a versatile platform that provides a range of features, including email, calendaring, contact management, and scheduling. Users can conveniently access this messaging platform from various devices, including mobile devices, desktop computers, and web-based systems, all through an Exchange server.
Within Microsoft Exchange Client Access Server (CAS), ProxyShell vulnerabilities are often accessible via the internet. This accessibility facilitates the Hive group in locating Exchange Servers with ProxyShell vulnerabilities, exploiting them, and subsequently compromising the organization’s network, servers, and devices. The ProxyShell vulnerabilities comprise a trio: CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473, which the attackers leverage to execute malicious code.
A variety of strategies and tactics are utilized to compromise Microsoft Exchange. Attackers often initiate by disabling anti-malware protections, subsequently using these vulnerabilities to encrypt business files. In addition, they employ alternative methods to compromise networks, including disseminating phishing emails with malicious attachments, exploiting leaked VPN credentials, and employing other sophisticated techniques.
After conducting extensive research, forensic experts have determined that attackers frequently employ attack servers by targeting ProxyShell vulnerabilities and disabling security features. Users are advised to adhere to standard security practices to safeguard their Exchange Server from Hive ransomware groups.
Since there is no single, defined solution to safeguard against these threats, it’s essential to keep the server regularly updated with the latest patches and security updates. This practice helps fortify the server’s security posture.
If you are currently using an older version, such as Exchange Server 2010, we strongly advise considering an upgrade to either Exchange 2016 or 2019, depending on your preferences and requirements. It’s crucial to stay proactive in applying regular security updates to address vulnerabilities.
To assess the health of your Exchange Server, users should utilize the Microsoft Exchange Server Health Checker Script (HealthChecker.ps1). This script helps identify any issues that require patching or addressing.
Note- Both the HTML report and HealthChecker.ps1 script are located at the same location.
Safeguarding our data from such threats can often be overlooked, leaving us unprepared when ransomware attacks strike. Retrieving data from the Exchange database after such an incident can be challenging. Therefore, it’s crucial to maintain regular backups. For this purpose, consider using the Kernel Exchange Backup & Restore tool, designed to back up Exchange mailboxes (on-premises, online, and hosted) to PST format. This tool offers advanced filters for selective data backup and can also assist in recovering EDB Public folders.
To protect your organization from Hive Ransomware affiliates and similar malicious attacks, it’s essential to implement the solutions discussed above. Additionally, it’s highly advisable to regularly back up your Exchange data using the mentioned tool.