Analytics company Varonis found one of its customers had multiple devices and file servers compromised and encrypted by the threat group known as Hive. The initial indicator of compromise was the successful exploitation of Microsoft Exchange via vulnerabilities known as ProxyShell.
- Hive is built for distribution in a Ransomware-as-a-service model that enables affiliates to utilize it as desired. The variant uses common ransomware tactics, techniques, and procedures (TTPs) to compromise victims’ devices. While taking live actions, the operator disables anti-malware protections and then exfiltrates sensitive data and encrypts business files. Their affiliates use multiple mechanisms to compromise their victims’ networks, including phishing emails with malicious attachments, leaked VPN credentials, and by exploiting vulnerabilities on external-facing assets. In addition, Hive places a plain-text ransom note that threatens to publish the victim’s data on the TOR website ‘HiveLeaks’ unless the victim meets the attacker’s conditions.
While Microsoft Exchange and cloud hosted SaaS applications provide some encryption at the application level, ransomware-as-a-service infections can utilize multiple attack vectors across Microsoft Azure and AWS, as these public cloud infrastructures are not natively encrypted. To maintain zero trust principles at the networking level, a 3rd party vendor provided VPN should be implemented in a mesh topology that can obfuscate and protect all public cloud traffic and eliminate vulnerabilities. These solutions should also include endpoint device checking to minimize the likelihood of malware infections and credential theft.