Alert on Hive ransomware

Black Friday is here, and cyber attackers are already at work   

Per CISA and FBI information threat actors have been utilizing the Hive ransomware to target a wide array of enterprises and critical infrastructure sectors between June 2021 and at least November 2022. This includes Healthcare and Public Health, Government Facilities, Communications, Critical Manufacturing, and Information Technology (HPH).  

Until now, hackers behind Hive ransomware have earned more than $100 Million from 1,300 victims worldwide. As a result of this offensive operation, victims will be exposed to additional ransomware payloads which will cause further damage. 

Deep Dive: The flow explained  

Hive actors have gained initial access to victim networks by using single:  

  • factor logins via Remote Desktop Protocol (RDP) 
  • virtual private networks (VPNs), and other remote network connection protocols.  

In some instances, Hive actors have been able to bypass multifactor authentication (MFA) and access FortiOS systems by taking advantage of Common Vulnerabilities and Exposures (CVE) CVE-2020-12812.  

By changing the username’s case, malicious actors can utilize this vulnerability to log in without being prompted for their FortiToken second authentication factor. 

Hive actors have also gained initial access to victim networks by exploiting the following vulnerabilities against Microsoft Exchange servers: 

  • CVE-2021-31207 – Microsoft Exchange Server Security Feature Bypass Vulnerability 
  • CVE-2021-34473 – Microsoft Exchange Server Remote Code Execution Vulnerability 
  • CVE-2021-34523 – Microsoft Exchange Server Privilege Escalation Vulnerability 
  • CVE-2019-11510- Pulse Connect Secure File Disclosure 
  • CVE-2022-40684-Fortinet Multiple Products Authentication Bypass 

Preventing Security Misconfigurations is the key  

Veriti research found that 22% of organizations are not utilizing their current security products to protect against those vulnerabilities. 

The main reasons for not maximizing their security against the Hive ransomware group are: 

  1. Security vendor default configuration (that is not set to protect). Vendors don’t want to create business disruptions, so they release the new vulnerability protections in ‘alert’ mode rather than ‘block’ mode. 
  1. Misconfiguration in the current security profiles and feature enablement. The root cause, in this case, is the inability to get complete visibility into the configuration on the enforcement points. 
  1. Lack of cyber hygiene and specifically the best practice of updating current security technologies due to lack of knowledge, visibility, or overreliance on manual update procedures. 
  1. The exclusion of certain procedures and traffic from the inspection process, exposes the organization to a high amount of vulnerabilities. The reason for the exclusion in most cases is a security control that caused a business disruption event. 

All organizations we have analyzed have purchased different security products that can and should protect against these vulnerabilities. They are not utilizing them to protect against the above threats. 

Remediation: 

  • Review the enforced security profiles and policies per vendor, to ensure protection against the Hive ransomware group 
  • Contact Veriti to schedule a security checkup to adjust your current security posture to protect Hive ransomware group. 

The table below presents the effect of a misconfigured security posture on organizations not being able to protect against Hive ransomware. The top impacted industries are government, Manufacturers, and financing, while the top impacted organizations are from the USA, Germany, and Russia. 

Veriti is a fast-growing infrastructure security innovator that helps organizations maximize their security posture while ensuring business uptime. Integrated with the entire security stack, Veriti provides a consolidated security platform that continually and proactively monitors exposure to threats and provides actionable remediation paths for security gaps, misconfigurations, and high-risk vulnerabilities across the organization’s infrastructure and attack surface. 

Subscribe to our BLOG

Get the latest security insights, news and articles delivered to your inbox.