Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Microsoft Exchange Servers Hacked to Deploy Hive Ransomware

Microsoft Exchange Servers Hacked to Deploy Hive Ransomware

A Hive ransomware affiliate has been targeting Microsoft Exchange servers vulnerable to ProxyShell security issues to deploy various backdoors, including Cobalt Strike beacon.

From there, the threat actors perform network reconnaissance, steal admin account credentials, exfiltrate valuable data, ultimately deploying the file-encrypting payload.

The details come from security and analytics company Varonis, who was called in to investigate a ransomware attack on one of its customers.

A widely abused initial access

ProxyShell is a set of three vulnerabilities in the Microsoft Exchange Server that allow remote code execution without authentication on vulnerable deployments. The flaws have been used by multiple threat actors, including ransomware like ContiBlackByteBabukCuba, and LockFile, after exploits became available.

The flaws are tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31297, and their severity rating ranges from 7.2 (high) to 9.8 (critical).

The security vulnerabilities are considered fully patched as of May 2021, but extensive technical details about them were only made available in August 2021, and soon after that, malicious exploitation started [12].

The fact that Hive’s affiliate was successful in exploiting ProxyShell in a recent attack shows that there is still room for targeting vulnerable servers.

From access to encryption

Following the exploitation of ProxyShell, the hackers planted four web shells in an accessible Exchange directory, and executed PowerShell code with high privileges to download Cobalt Strike stagers.

Also Read: Data Storage Security Standards: What Storage Professionals Need to Know

The web shells used in this particular attack were sourced from a public Git repository and were merely renamed to evade detection during potential manual inspections.

Randomly-named web shells
Randomly-named web shells (Varonis)

From there, the intruders used Mimikatz, a credentials stealer, to snatch the password of a domain admin account and perform lateral movement, accessing more assets in the network.

Launching a new command prompt on the affected system
Launching a new command prompt on the affected system (Varonis)

Next, the threat actors performed extensive file search operations to locate the most valuable data to pressure the victim into paying a larger ransom.

Varonis analysts have seen remnants of dropped network scanners, IP address lists, device and directory enumerations, RDPs to backup servers, scans for SQL databases, and more.

One notable case of network scanning software abuse was “SoftPerfect”, a lightweight tool that the threat actor used for enumerating live hosts by pinging them and saving the results on a text file.

Finally, and after all files had been exfiltrated, a ransomware payload named “Windows.exe” was dropped and executed on multiple devices.

Before encrypting the organization’s files, the Golang payload deleted shadow copies, disabled Windows Defender, cleared Windows event logs, killed file-binding processes, and stopped the Security Accounts Manager to incapacitate alerts.

Also Read: IT Governance Framework PDF Best Practices And Guidelines

Commands executed by the payload
Commands executed by the final payload (Varonis)

Hive evolution

Hive has gone a long way since it was first observed in the wild back in June 2021, having a successful start that prompted the FBI to release a dedicated report on its tactics and indicators of compromise.

In October 2021, the Hive gang added Linux and FreeBSD variants, and in December it became one of the most active ransomware operations in attack frequency.

Last month, researchers at Sentinel Labs reported on a new payload-hiding obfuscation method employed by Hive, which indicates active development.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us