A Hive ransomware affiliate has been deploying multiple backdoors, including the Cobalt Strike beacon, on Microsoft Exchange servers that are vulnerable to ProxyShell security issues.
As explained by my colleague, Cobalt Strike is a threat emulation software released in 2012 which can be used to deploy beacons on systems to simulate cyberattacks and test network defenses.
The cybercriminals then carry out network reconnaissance to determine potential weaknesses, collect admin login information, exfiltrate sensitive information, and deploy the file-encrypting payload.
The information comes from Varonis, an American software company that was called in to investigate a ransomware incident on one of its clients.
How Did It Happen?
ProxyShell is a group of three security flaws in the Microsoft Exchange Server that enable remote code execution on vulnerable deployments without authentication. As per BleepingComputer, the three vulnerabilities are CVE-2021-34473, CVE-2021-34523, and CVE-2021-31297, with severity ratings varying from 7.2 (high) to 9.8. (critical).
Although the security flaws were considered fully fixed since May 2021, comprehensive technical aspects about them were only made publicly available in August 2021, and malicious exploitation began shortly after.