Microsoft Exchange Server attacked by Hive's 'windows.exe” ransomware
While keeping software updated and only downloading files from trusted sources are standard cybersecurity practices, given the recent rise in malware attacks, it’s clear that more is needed in this regard educate. To that end, the Varonis forensics team has provided some guidance on how attackers using Hive ransomware are targeting Microsoft Exchange Server in their latest series of attacks. For those who don’t know, Hive follows a ransomware-as-a-service model.
While Microsoft patched Exchange Server for known vulnerabilities in 2021 and most organizations have updated, some have not. Hive now targets these vulnerable server instances via a ProxyShell vulnerability to gain SYSTEM privileges. The PowerShell script then starts Cobalt Strike and creates a new sysadmin account named "user".
After this, Mimikatz was used to steal the domain administrator's NTLM hash and gain control of the account. After a successful compromise, Hive performs some discovery where it deploys a network scanner to store IP addresses, scans files that contain "password" in their file names, and attempts to RDP into the backup server to access sensitive assets.
Finally, the custom malware payload is deployed and executed via a "windows.exe" file, which steals and encrypts files, deletes shadow copies, clears event logs, and disables security mechanisms. Ransomware instructions are then displayed asking the group to contact Hive's "sales department" hosted on a .onion address accessible through the Tor network. The following instructions have also been provided to infected organizations:
- Do not modify, rename, or delete *.key. document. Your data will not be able to be decrypted.
- Do not modify or rename encrypted files. You will lose them.
- Do not report to the police, FBI, etc. They don't care about your business. They don't allow you to pay at all. As a result you will lose everything.
- Don’t hire a recovery company. They cannot decrypt without the key. They don't care about your business either. They believe they are good negotiators, but they are not. They usually fail. So speak for yourself.
- Don't refuse (sic) the purchase. Leaked documents will be publicly disclosed.
The last point is certainly interesting because if Hive had not been paid, their information would have been published on the "HiveLeaks" Tor website. A countdown is displayed on the same website to force victims to pay.
The security team noted that in one instance, the attackers managed to encrypt the environment within 72 hours of the initial breach. Therefore, it recommends that organizations immediately patch Exchange servers, regularly rotate complex passwords, block SMBv1, restrict access where possible, and train employees in the area of cybersecurity.
The above is the detailed content of Microsoft Exchange Server attacked by Hive's 'windows.exe” ransomware. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1377
52
What software is crystaldiskmark? -How to use crystaldiskmark?
Mar 18, 2024 pm 02:58 PM
CrystalDiskMark is a small HDD benchmark tool for hard drives that quickly measures sequential and random read/write speeds. Next, let the editor introduce CrystalDiskMark to you and how to use crystaldiskmark~ 1. Introduction to CrystalDiskMark CrystalDiskMark is a widely used disk performance testing tool used to evaluate the read and write speed and performance of mechanical hard drives and solid-state drives (SSD). Random I/O performance. It is a free Windows application and provides a user-friendly interface and various test modes to evaluate different aspects of hard drive performance and is widely used in hardware reviews
CrystalDiskinfo usage tutorial-What software is CrystalDiskinfo?
Mar 18, 2024 pm 04:50 PM
CrystalDiskInfo is a software used to check computer hardware devices. In this software, we can check our own computer hardware, such as reading speed, transmission mode, interface, etc.! So in addition to these functions, how to use CrystalDiskInfo and what exactly is CrystalDiskInfo? Let me sort it out for you! 1. The Origin of CrystalDiskInfo As one of the three major components of a computer host, a solid-state drive is the storage medium of a computer and is responsible for computer data storage. A good solid-state drive can speed up file reading and affect consumer experience. When consumers receive new devices, they can use third-party software or other SSDs to
How to set the keyboard increment in Adobe Illustrator CS6 - How to set the keyboard increment in Adobe Illustrator CS6
Mar 04, 2024 pm 06:04 PM
Many users are using the Adobe Illustrator CS6 software in their offices, so do you know how to set the keyboard increment in Adobe Illustrator CS6? Then, the editor will bring you the method of setting the keyboard increment in Adobe Illustrator CS6. Interested users can take a look below. Step 1: Start Adobe Illustrator CS6 software, as shown in the figure below. Step 2: In the menu bar, click the [Edit] → [Preferences] → [General] command in sequence. Step 3: The [Keyboard Increment] dialog box pops up, enter the required number in the [Keyboard Increment] text box, and finally click the [OK] button. Step 4: Use the shortcut key [Ctrl]
How to resolve an incompatible software attempt to load with Edge?
Mar 15, 2024 pm 01:34 PM
When we use the Edge browser, sometimes incompatible software attempts to be loaded together, so what is going on? Let this site carefully introduce to users how to solve the problem of trying to load incompatible software with Edge. How to solve an incompatible software trying to load with Edge Solution 1: Search IE in the start menu and access it directly with IE. Solution 2: Note: Modifying the registry may cause system failure, so operate with caution. Modify registry parameters. 1. Enter regedit during operation. 2. Find the path\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Micros
What software is photoshopcs5? -photoshopcs5 usage tutorial
Mar 19, 2024 am 09:04 AM
PhotoshopCS is the abbreviation of Photoshop Creative Suite. It is a software produced by Adobe and is widely used in graphic design and image processing. As a novice learning PS, let me explain to you today what software photoshopcs5 is and how to use photoshopcs5. 1. What software is photoshop cs5? Adobe Photoshop CS5 Extended is ideal for professionals in film, video and multimedia fields, graphic and web designers who use 3D and animation, and professionals in engineering and scientific fields. Render a 3D image and merge it into a 2D composite image. Edit videos easily
What software is coreldraw - how to download the official free version of cdr2022?
Mar 18, 2024 pm 11:00 PM
CorelDRAW software is a vector graphics production tool software produced by Corel. It is mainly used for vector graphics, page design and image editing. Next, let the editor introduce to you what software coreldraw is? How to download the official free version of cdr2022! 1. What software is coreldraw? The origin of CorelDRAW. The full name of CorelDRAW software is CorelDRAW. It is a graphic design software for producing vector graphics. CorelDRAWX4 has been updated and optimized in text format, new interactive tables and page layer functions. CorelDRAWX4 supports online service integration and collaboration. As a graphic image tool and vector drawing software, it
All software will be opened with WPS, and the exe default opening method will be restored.
Jun 19, 2024 am 01:48 AM
All the software on my friend's computer has been opened using WPS and cannot run normally. All exes cannot be opened, including the task manager, registry, control panel, settings, etc. When opened, all WPS garbled characters appear. This situation cannot be done remotely. The remote software is also an exe, which seems to be unsolvable. Let’s take a look at how 20 operates to restore the computer to normal. This is because the opening method of the exe has been changed to WPS, and you only need to restore the default opening method. Er0 exports the exe registry information on a normal computer and puts it on the website. Because the browser can be opened, please guide your friends to open our website, copy the registry information, create a new text document on the desktop, and save it as [File name: 1.reg; Save type: All files (*.
How to burn CD music disc with nero express - How to burn CD music disc with nero express
Mar 06, 2024 pm 06:40 PM
I believe that the users here are no strangers to neroexpress, but do you know how to burn CD music discs with neroexpress? The editor below will bring you the method of burning CD music discs with neroexpress. Interested users can take a look below. Step 1. Click "All Programs" → Nero7 Premium → "Data" → NeroExpress command in the start menu to run the NeroExpress program. Step 2, click the "Music" option in the left pane of the NeroExpress program window, and then click the "Music Disc" option in the right pane. Step 3. Open the "My Music CD" dialog box and click the "Add" button. 4th