Hive ransomware targeting MSFT Exchange via ProxyShell Vulns: Tenable
“Attackers continue to exploit the ProxyShell vulnerabilities that were initially disclosed more than eight months ago. They have proven to be a reliable resource for attackers since their disclosure, despite patches being available. The latest attacks by an affiliate of the Hive ransomware group are enabled by the ubiquity of Microsoft Exchange and apparent delays in patching these months-old vulnerabilities. Organizations around the world in diverse sectors use Microsoft Exchange for critical business functions, making it an ideal target for threat actors.
“The exploit chain allows attackers to elevate privileges and then execute code remotely, and the availability of proofs-of-concept makes it easy for them to adopt into their playbooks.
“Because the ProxyShell chain goes from feature bypass, to privilege escalation, to remote code execution, it reduces the amount of reconnaissance and intermediate steps required for attackers to infiltrate target systems.” — Claire Tills, Senior Research Engineer at Tenable