Hive ransomware actors have amassed $100m from 1,300 businesses: CISA
Hive's ransomware affiliates have been seen attacking vulnerabilities in Microsoft Exchange Server and Fortinet VPNs
Hive ransomware operators attacked more than 1,300 businesses worldwide between June 2021 and November 2022, collecting roughly $100 million in ransom payments, according to a joint report from US federal agencies.
The US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the Department of Health and Human Services (HHS) last week published a joint Cybersecurity Advisory (CSA) alert regarding Hive ransomware.
The Hive ransomware uses the ransomware-as-a-service (RaaS) model, in which affiliates carry out the ransomware attacks while developers design, manage, and update the malware.
Over the last 18 months, threat actors have used the Hive ransomware to target a variety of enterprises and critical infrastructure sectors, including government facilities, critical manufacturing, IT, communications and Healthcare and Public Health (HPH).
Hive's ransomware affiliates utilise a variety of tactics, techniques and procedures (TTPs) with numerous strategies to gain initial access to target networks. Phishing emails, the exploitation of known vulnerabilities, and vulnerable, external-facing remote services like Remote Desktop Protocol (RDP), or virtual private networks (VPNs) are the most common vectors used by Hive actors to spread their malware.
For example, Hive actors have exploited a critical security vulnerability in Fortinet's FortiOS SSL VPNs, tracked as CVE-2020-12812. This vulnerability allows an attacker to log in without a prompt for the user's second authentication factor (FortiToken) when the attacker changes the case of the username.
A number of vulnerabilities in Microsoft Exchange Server, including a remote code execution weakness (CVE-2021-34473), a feature bypass flaw (CVE-2021-31207), and a privilege escalation issue (CVE-2021-34523) have also been exploited by Hive actors.
Hive actors presumably exfiltrate data using a combination of Rclone and the cloud storage site Mega[.]nz, according to the researchers.
"In addition to its capabilities against the Microsoft Windows operating system, Hive ransomware has known variants for Linux, VMware ESXi, and FreeBSD," they noted.
Hive ransomware, like most sophisticated ransomware payloads, executes processes that disable a wide range of antivirus and EDR solutions, destroy backups, and hinder recovery.
According to CISA, it disables all components of Windows Defender and other standard antivirus products in the system registry.
To restrict potential adversarial use of common system and network discovery methods and to lessen the danger of being compromised by Hive ransomware, the joint advisory recommends organisations, especially in the HPH sector, to adopt the following measures:
- Confirm that Hive actors are no longer able to access the network
- Install updates for an operating system, piece of software, or piece of firmware as soon as they are released
- Patching VPN servers, remote access programmes, virtual machine programmes, and known exploited vulnerabilities should be given top priority
- Make phishing-resistant MFA a requirement for as many services as you can
- Secure and monitor RDP, if it is used
- Limit access to resources over internal networks
- Disable protocols and ports that aren't needed for business, such RDP Port 3389/TCP.
- Maintain offline data backups and
- Install and regularly update anti-malware software on all hosts
- Enable PowerShell logging, which includes module logging, script block logging, and transcription