Alert on Hive ransomware

by | Nov 25, 2022

Black Friday is here, and cyber attackers are already at work   

Per CISA and FBI information threat actors have been utilizing the Hive ransomware to target a wide array of enterprises and critical infrastructure sectors between June 2021 and at least November 2022. This includes Healthcare and Public Health, Government Facilities, Communications, Critical Manufacturing, and Information Technology (HPH).  

Until now, hackers behind Hive ransomware have earned more than $100 Million from 1,300 victims worldwide. As a result of this offensive operation, victims will be exposed to additional ransomware payloads which will cause further damage. 

Deep Dive: The flow explained  

Hive actors have gained initial access to victim networks by using single:  

  • factor logins via Remote Desktop Protocol (RDP) 
  • virtual private networks (VPNs), and other remote network connection protocols.  

In some instances, Hive actors have been able to bypass multifactor authentication (MFA) and access FortiOS systems by taking advantage of Common Vulnerabilities and Exposures (CVE) CVE-2020-12812.  

By changing the username’s case, malicious actors can utilize this vulnerability to log in without being prompted for their FortiToken second authentication factor. 

Hive actors have also gained initial access to victim networks by exploiting the following vulnerabilities against Microsoft Exchange servers: 

  • CVE-2021-31207 – Microsoft Exchange Server Security Feature Bypass Vulnerability 
  • CVE-2021-34473 – Microsoft Exchange Server Remote Code Execution Vulnerability 
  • CVE-2021-34523 – Microsoft Exchange Server Privilege Escalation Vulnerability 
  • CVE-2019-11510- Pulse Connect Secure File Disclosure 
  • CVE-2022-40684-Fortinet Multiple Products Authentication Bypass 

Preventing Security Misconfigurations is the key  

Veriti research found that 22% of organizations are not utilizing their current security products to protect against those vulnerabilities. 

The main reasons for not maximizing their security against the Hive ransomware group are: 

  1. Security vendor default configuration (that is not set to protect). Vendors don’t want to create business disruptions, so they release the new vulnerability protections in ‘alert’ mode rather than ‘block’ mode. 
  1. Misconfiguration in the current security profiles and feature enablement. The root cause, in this case, is the inability to get complete visibility into the configuration on the enforcement points. 
  1. Lack of cyber hygiene and specifically the best practice of updating current security technologies due to lack of knowledge, visibility, or overreliance on manual update procedures. 
  1. The exclusion of certain procedures and traffic from the inspection process, exposes the organization to a high amount of vulnerabilities. The reason for the exclusion in most cases is a security control that caused a business disruption event. 

All organizations we have analyzed have purchased different security products that can and should protect against these vulnerabilities. They are not utilizing them to protect against the above threats. 

Remediation: 

  • Review the enforced security profiles and policies per vendor, to ensure protection against the Hive ransomware group 
  • Contact Veriti to schedule a security checkup to adjust your current security posture to protect Hive ransomware group. 

The table below presents the effect of a misconfigured security posture on organizations not being able to protect against Hive ransomware. The top impacted industries are government, Manufacturers, and financing, while the top impacted organizations are from the USA, Germany, and Russia. 

Veriti is a fast-growing infrastructure security innovator that helps organizations maximize their security posture while ensuring business uptime. Integrated with the entire security stack, Veriti provides a consolidated security platform that continually and proactively monitors exposure to threats and provides actionable remediation paths for security gaps, misconfigurations, and high-risk vulnerabilities across the organization’s infrastructure and attack surface. 

Get your security controls assessment now


Recommended Articles

Subscribe to our BLOG

Get the latest security insights, news and articles delivered to your inbox.

Product

Product Overview

Maximize security posture while ensuring business uptime

Automated Security Controls Assessment

Validate your security control

Integrations

Connect Veriti with your security solutions

Use Cases

Agentless OS-Level Remediation

Proactively safeguard your systems directly at the OS-Level on the endpoint

Validate Risk Posture

Identify postural gaps by querying your security configuration

Eliminate False Positives

Reduce alert fatigue. Increase Security Effectiveness

Maintain Cyber Hygiene

Monitor the hygiene of your security solutions

Vulnerability Mitigation

Prioritize and virtually patch vulnerabilities

Enhance zero-day Protection

Identify and distribute zero-day indicators of attack

Solutions

VERITI FOR MSSPs

Efficiently manage multiple clients in a consolidated platform

VERITI FOR HEALTHCARE

Neutralize security gaps without impacting healthcare operations

VERITI FOR MANUFACTURING

Protect the heart of your production processes

LEARN HOW TO INCREASE BUSINESS OUTCOMES

DOWNLOAD EBOOK>>

Resources

See all resources

Blog

Veriti's security blog

Downloads

The latest guides, white papers and infographics

Events

Live event and on-demand webinars

MASTERING MODERN OS-LEVEL SECURITY: THE AGENTLESS APPROACH

WATCH NOW>>

Our Story

Learn about Veriti

Leadership Team

Meet the team

Careers

Work with us

Newsroom

Our latest updates

Partner with Veriti

Become a partner