![]() Microsoft released patches for those three vulnerabilities in April and May 2021 as part of their "Patch Tuesday" releases. ![]() Microsoft Exchange Server Security Feature Bypass Vulnerability Microsoft Exchange Server Elevation of Privilege Vulnerability CVE-2021-31207 (Base Score: 7.2) Microsoft Exchange Server Remote Code Execution Vulnerability. ProxyShell involves a set of three separate security flaws and allows remote attackers to execute arbitrary code on affected installations of Microsoft Exchange Server. Revealed in August 2021, ProxyShell is a Remote Code Execution (RCE) vulnerability. The initial indicator of compromise was the successful exploitation of Microsoft Exchange via vulnerabilities known as ProxyShell. The payload created a plain text ransomware demand note during the encryption phase. Stage 5: Ransomware deploymentįinally, a custom-crafted malware payload named Windows.exe was delivered and executed on various devices, leading to wide encryption and denial of access to files within the organization. In addition to searching for files containing "password" in their names, observed activities included dropping network scanners and collecting the networks' IP addresses and device names, followed by RDPs to the backup servers and other critical assets. Next, the threat actor performed extensive discovery activities across the network. Stage 4: Scanning for sensitive information By stealing the domain Administrator NTLM hash and without needing to crack the password, the operator managed to reuse it via Pass-The-Hash attack and take control of the domain admin account. Leveraging the SYSTEM permissions, the threat actor created a new system administrator user named "user" and advanced to the credential dumping stage, invoking Mimikatz. The stagers were not written to the file system but executed in memory. The malicious PowerShell code downloaded additional stagers from a remote C2 (Command & Control) server associated with the Cobalt Strike framework. These web scripts could then execute malicious PowerShell code over the compromised server with SYSTEM privileges. Next, the attack placed a malicious backdoor script, referred to as webshell, in a publicly accessible directory on the Exchange server. The Forensics team observed that the actor managed to achieve its malicious goals and encrypt the environment in less than 72 hours from the initial compromise.įirst, the attacker exploited multiple Exchange security vulnerabilities, referred to as ProxyShell. In addition, Hive places a plain-text ransom note that threatens to publish the victim's data on the TOR website 'HiveLeaks' unless the victim meets the attacker's conditions. Their affiliates use multiple mechanisms to compromise their victims' networks, including phishing emails with malicious attachments, leaked VPN credentials, and by exploiting vulnerabilities on external-facing assets. While taking live actions, the operator disables anti-malware protections and then exfiltrates sensitive data and encrypts business files. The variant uses common ransomware tactics, techniques, and procedures (TTPs) to compromise victims' devices. Hive is built for distribution in a Ransomware-as-a-service model that enables affiliates to utilize it as desired. Multiple devices and file servers were compromised and encrypted by a malicious threat group known as Hive.įirst observed in June 2021, Hive is an affiliate-based ransomware variant used by cybercriminals to conduct ransomware attacks against healthcare facilities, nonprofits, retailers, energy providers, and other sectors worldwide. During a recent engagement with a customer, the Varonis Forensics Team investigated a ransomware incident. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |