Since June 2021, the Hive threat group has been targeting organizations across the finance, energy, and healthcare sectors as part of coordinated ransomware attacks.
During the attacks, the group exploits ProxyShell vulnerabilities in MSFT Exchange servers to remotely execute arbitrary commands and encrypt the data of companies with the unique hive ransomware strain.
The group is highly organized, with the Varonis research team recently discovering that a threat actor managed to enter an organization’s environment and encrypted the target data with the ransomware strain in less than 72 hours.
These attacks are particularly concerning, as unpatched exchange servers are publicly discoverable via web crawlers. “Anyone with an unpatched exchange server is at risk,” said Gartner Analyst Peter Firstbrook.
“Even organizations that have migrated to the cloud version of Exchange often still have some on premises Exchange servers that could be exploited if unpatched. There are circulating threats already and unpatched servers can be detected with a web crawler, so it is highly likely that unpatched servers will be exploited,” Firstbrook said.
How much of a risk does ProxyShell present?
Despite the significance of these vulnerabilities, many organizations have failed to patch their on-premise Exchange servers (these vulnerabilities do not affect Exchange online or Office 365 servers).
Last year, Mandiant reported that around 30,000 Exchange Servers remain unpatched, and recent attacks highlight that many organizations have been slow to update their systems.
This is problematic given that the vulnerabilities enable an attacker to remotely execute arbitrary commands and malicious code on Microsoft Exchange server through the 443 port.
“Attackers continue to exploit the ProxyShell vulnerabilities that were initially disclosed more than eight months ago. They have proven to be a reliable resource for attackers since their disclosure, despite patches being available,” said Senior Research Engineer at Tenable, Claire Tills.
“The latest attacks by an affiliate of the Hive ransomware group are enabled by the ubiquity of Microsoft Exchange and apparent delays in patching these months-old vulnerabilities. Organizations around the world in diverse sectors use Microsoft Exchange for critical business functions, making it an ideal target for threat actors.”
Tills suggests that Organizations that fail to patch their exchange servers enable attackers to reduce the amount of reconnaissance and immediate steps they need to take to infiltrate target systems.
Detecting ProxyShell intrusions
Organizations that are slow to patch, such as less mature or short-staffed IT organizations, can fall into the trap of thinking just because there’s no obvious signs of intrusion that no one’s used ProxyShell to gain a foothold in the environment, but this isn’t always the case.
Firstbrook notes that while “ransomware attacks will be obvious to organizations when they happen, however there are lots of other attack techniques that will [be] much stealthier, so the absence of ransomware does not mean the Exchange server is not already compromised.”
It is for this reason that Brian Donohue, Principal Information Security Specialist at Managed Detection and Response (MDR) provider Red Canary, recommends that organizations ensure they have the ability to detect the execution Cobalt Strike or Mimikatz, even if they can’t update Exchange.
“Having broad defense in depth against a wide array of threats means that even if you can’t patch your Exchange servers or the adversary is using entirely novel tradecraft in certain parts of the attack, you might still catch the Mimikatz activity, or you might have an alert that looks for the heavily obfuscated PowerShell that’s being used by Cobalt Strike – all of which happens before anything gets encrypted,” Donohue said.
In other words, enterprises that haven’t patched the vulnerabilities can still protect themselves by using Managed Detection and Response and other security solutions to detect malicious activity that comes before ransomware encryption, so they can respond before it’s too late.