How is the Hive Ransomware Affiliate Targeting Exchange Servers?

Megha Chouhan
Megha Chouhan | Published On - 07 Sep 2022 |

Read time: 3 minutes

In the present situation, ransomware attacks have increased. Hive ransomware is a group used to threaten and hack multiple file servers and devices of businesses. In June 2021, the Hive group came to light. The damages caused by it are in different ways, such as disturbances to business operations, data loss, reputational harm, and legal penalties. Currently, Microsoft Exchange Servers have become a target of an affiliate of the Hive ransomware group. According to a recent survey by the forensics teams, hackers usually take less than 72 hours to achieve their malicious goals and encrypt the environment.

What is Microsoft Exchange Server?

Microsoft Exchange Server is a platform that offers multiple facilities like email, calendaring, contact, and scheduling. Users can access the messaging platform from mobile devices, desktops, and web-based systems using an Exchange server.

How is the Hive Ransomware group attacking Exchange Servers?

In Microsoft Exchange Client Access Server (CAS), ProxyShell vulnerabilities are usually exposed to the internet. And it makes it easier for the Hive group to identify or find Exchange Servers with ProxyShell vulnerabilities, exploit them, and compromise the organization’s network, servers, and devices. Here, ProxyShell is a set of three vulnerabilities, i.e., CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473 which they used to execute malicious code.

There are different kinds of strategies and procedures employed to compromise Microsoft
Exchange. They start by disabling anti-malware protections and then use them to encrypt business files. They also used to follow other mechanisms to compromise the networks, like phishing emails with malicious attachments, leaked VPN credentials, and even more.

Practices to protect Exchange Server from Hive Ransomware Attack

After research, forensic advisors found that attackers usually used attack servers by targeting ProxyShell vulnerabilities and disabling the security features. Users can follow the regular practices to protect Exchange Server from Hive ransomware groups-

Update the Server

As there is no specific or defined solution to protect from such threats, keep the server updated with the latest updates. Users can also try installing regular security updates to strengthen the server’s security.

Upgrade to the new version

In case you’re using an older version, e.g., if a business is running Exchange Server 2010, we highly recommend upgrading to Exchange 2016 or 2019, whichever is convenient for you. And try to be updated with regular Security Updates and patch vulnerabilities.

Protect Exchange Server from ProxyShell Attack

To check Exchange Server Health, users need to use Microsoft Exchange Server Health Checker Script (HealthChecker.ps1) to identify the issues that need to patch.

  • Initiate by downloading HealthChecker.ps1. (Supported Version Exchange Server 2013, 2016, and 2019.)
  • Now open Exchange Management Shell and use the ‘cd ‘command to find the location of the HealthChecker.ps1 script.
  • Now run the command .\HealthChecker.ps1 to execute the HealthChecker.ps1 on the server.
  • Now generate HTML report using command .\HealthChecker.ps1 -BuildHtmlServersReport
  • Lastly, double-click the HTML file to open it in the web browser.
  • And here, check the Security Vulnerabilities section to find out where we need to update by following Security Update available for the Exchange Server version.
  • Note- Both the HTML report and HealthChecker.ps1 script are located at the same location.

Kernel Exchange Backup & Restore

We often fail to protect our data from such attacks or threats because we are not prepared. It is difficult to access the Exchange database after ransomware attacks. Therefore, to deal with such a situation, always try to keep backup. And to back up Exchange (on-premises, online, and hosted) mailboxes to PST, try using Kernel Exchange Backup & Restore tool. This tool is programmed to back up mailboxes from the Exchange database and restore healthy PST files to Exchange mailboxes. It comes up with advanced filters, making it easier to back up the data selectively. Using this tool can be helpful in recovering EDB Public folders too.

Conclusion

To safeguard your organization against Hive Ransomware affiliates and other malicious attacks, you must be prepared with the above-discussed solutions. However, it is always recommended to back up your Exchange data with this tool.