US-CERT- AA22-321A: #StopRansomware: Hive Ransomware

Started by Netwörkheäd, November 17, 2022, 06:18:03 PM

Previous topic - Next topic

Netwörkheäd

AA22-321A: #StopRansomware: Hive Ransomware

[html]Original release date: November 17, 2022

Summary

Actions to Take Today to Mitigate Cyber Threats from Ransomware:



• Prioritize remediating https://www.cisa.gov/known-exploited-vulnerabilities-catalog">known exploited vulnerabilities.

• Enable and enforce multifactor authentication with strong passwords

• Close unused ports and remove any application not deemed necessary for day-to-day operations.



Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit https://www.cisa.gov/stopransomware">stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.



The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) are releasing this joint CSA to disseminate known Hive IOCs and TTPs identified through FBI investigations as recently as November 2022.



FBI, CISA, and HHS encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents. Victims of ransomware operations should report the incident to their local FBI field office or CISA.



Download the PDF version of this report: https://us-cert.cisa.gov/sites/default/files/publications/aa22-321a_joint_csa_stopransomware_hive.pdf">pdf, 852.9 kb.


Technical Details

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 12. See https://attack.mitre.org/versions/v12/matrices/enterprise/">MITRE ATT&CK for Enterprise for all referenced tactics and techniques.



As of November 2022, Hive ransomware actors have victimized over 1,300 companies worldwide, receiving approximately US$100 million in ransom payments, according to FBI information. Hive ransomware follows the ransomware-as-a-service (RaaS) model in which developers create, maintain, and update the malware, and affiliates conduct the ransomware attacks. From June 2021 through at least November 2022, threat actors have used Hive ransomware to target a wide range of businesses and critical infrastructure sectors, including Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health (HPH).



The method of initial intrusion will depend on which affiliate targets the network. Hive actors have gained initial access to victim networks by using single factor logins via Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote network connection protocols [https://attack.mitre.org/versions/v12/techniques/T1133/">T1133]. In some cases, Hive actors have bypassed multifactor authentication (MFA) and gained access to FortiOS servers by exploiting Common Vulnerabilities and Exposures (CVE) https://nvd.nist.gov/vuln/detail/CVE-2020-12812">CVE-2020-12812. This vulnerability enables a malicious cyber actor to log in without a prompt for the user's second authentication factor (FortiToken) when the actor changes the case of the username.



Hive actors have also gained initial access to victim networks by distributing phishing emails with malicious attachments [https://attack.mitre.org/versions/v12/techniques/T1566/001/">T1566.001] and by exploiting the following vulnerabilities against Microsoft Exchange servers [https://attack.mitre.org/versions/v12/techniques/T1190/">T1190]:





After gaining access, Hive ransomware attempts to evade detention by executing processes to:





Prior to encryption, Hive ransomware removes virus definitions and disables all portions of Windows Defender and other common antivirus programs in the system registry [https://attack.mitre.org/versions/v12/techniques/T1112/">T1112].



Hive actors exfiltrate data likely using a combination of Rclone and the cloud storage service Mega.nz [https://attack.mitre.org/versions/v12/techniques/T1537/">T1537]. In addition to its capabilities against the Microsoft Windows operating system, Hive ransomware has known variants for Linux, VMware ESXi, and FreeBSD.



During the encryption process, a file named *.key (previously *.key.*) is created in the root directory (C:\ or /root/). Required for decryption, this key file only exists on the machine where it was created and cannot be reproduced. The ransom note, HOW_TO_DECRYPT.txt is dropped into each affected directory and states the *.key file cannot be modified, renamed, or deleted, otherwise the encrypted files cannot be recovered [https://attack.mitre.org/versions/v12/techniques/T1486/">T1486]. The ransom note contains a "sales department" .onion link accessible through a TOR browser, enabling victim organizations to contact the actors through a live chat panel to discuss payment for their files. However, some victims reported receiving phone calls or emails from Hive actors directly to discuss payment.



The ransom note also threatens victims that a public disclosure or leak site accessible on the TOR site, "HiveLeaks", contains data exfiltrated from victim organizations who do not pay the ransom demand (see figure 1 below). Additionally, Hive actors have used anonymous file sharing sites to disclose exfiltrated data (see table 1 below).


https://us-cert.cisa.gov/sites/default/files/publications/How%20to%20Decrypt.png" width="548" />

 




   
   
      
         
      
      
         
      
      
         
      
      
         
      
      
         
      
      
         
      
      
         
      
   
Table 1: Anonymous File Sharing Sites Used to Disclose Data

         

https://anonfiles[.]com


         

         

https://mega[.]nz


         

         

https://send.exploit[.]in


         

         

https://ufile[.]io


         

         

https://www.sendspace[.]com


         

         

https://privatlab[.]net


         

         

https://privatlab[.]com


         


 



Once the victim organization contacts Hive actors on the live chat panel, Hive actors communicate the ransom amount and the payment deadline. Hive actors negotiate ransom demands in U.S. dollars, with initial amounts ranging from several thousand to millions of dollars. Hive actors demand payment in Bitcoin.



Hive actors have been known to reinfect—with either Hive ransomware or another ransomware variant—the networks of victim organizations who have restored their network without making a ransom payment.



Indicators of Compromise



Threat actors have leveraged the following IOCs during Hive ransomware compromises. Note: Some of these indicators are legitimate applications that Hive threat actors used to aid in further malicious exploitation. FBI, CISA, and HHS recommend removing any application not deemed necessary for day-to-day operations. See tables 2–3 below for IOCs obtained from FBI threat response investigations as recently as November 2022.




   
   
      
         
      
      
         
      
      
         
      
      
         
      
      
         
      
      
         
      
      
         
      
      
         
      
      
         
      
      
         
      
      
         
      
      
         
      
      
         
      
      
         
      
      
         
      
      
         
      
      
         
      
      
         
      
      
         
      
      
         
      
      
         
      
      
         
      
      
         
      
      
         
      
      
         
      
      
         
      
      
         
      
      
         
      
      
         
      
      
         
      
   
Table 2: Known IOCs as of November 2022

         

Known IOCs - Files


         

         

HOW_TO_DECRYPT.txt typically in directories with encrypted files


         

         

*.key typically in the root directory, i.e., C:\ or /root


         

         

hive.bat


         

         

shadow.bat


         

         

asq.r77vh0[.]pw - Server hosted malicious HTA file


         

         

asq.d6shiiwz[.]pw - Server referenced in malicious regsvr32 execution


         

         

asq.swhw71un[.]pw - Server hosted malicious HTA file


         

         

asd.s7610rir[.]pw - Server hosted malicious HTA file


         

         

Windows_x64_encrypt.dll


         

         

Windows_x64_encrypt.exe


         

         

Windows_x32_encrypt.dll


         

         

Windows_x32_encrypt.exe


         

         

Linux_encrypt


         

         

Esxi_encrypt


         

         

Known IOCs – Events


         

         

System, Security and Application Windows event logs wiped


         

         

Microsoft Windows Defender AntiSpyware Protection disabled


         

         

Microsoft Windows Defender AntiVirus Protection disabled


         

         

Volume shadow copies deleted


         

         

Normal boot process prevented


         

         

Known IOCs – Logged Processes


         

         

wevtutil.exe cl system


         

         

wevtutil.exe cl security


         

         

wevtutil.exe cl application


         

         

vssadmin.exe delete shadows /all /quiet


         

         

wmic.exe SHADOWCOPY /nointeractive


         

         

wmic.exe shadowcopy delete


         

         

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures


         

         

bcdedit.exe /set {default} recoveryenabled no


         


 




   
   
   
      
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
   
Table 3: Potential IOC IP Addresses as of November 2022Note: Some of these observed IP addresses are more than a year old. FBI and CISA recommend vetting or investigating these IP addresses prior to taking forward-looking action like blocking.

         

Potential IOC IP Addresses for Compromise or Exfil:


         

         

84.32.188[.]57


         

         

84.32.188[.]238


         

         

93.115.26[.]251


         

         

185.8.105[.]67


         

         

181.231.81[.]239


         

         

185.8.105[.]112


         

         

186.111.136[.]37


         

         

192.53.123[.]202


         

         

158.69.36[.]149


         

         

46.166.161[.]123


         

         

108.62.118[.]190


         

         

46.166.161[.]93


         

         

185.247.71[.]106


         

         

46.166.162[.]125


         

         

5.61.37[.]207


         

         

46.166.162[.]96


         

         

185.8.105[.]103


         

         

46.166.169[.]34


         

         

5.199.162[.]220


         

         

93.115.25[.]139


         

         

5.199.162[.]229


         

         

93.115.27[.]148


         

         

89.147.109[.]208


         

         

83.97.20[.]81


         

         

5.61.37[.]207


         

         

5.199.162[.]220


         

         

5.199.162[.]229;


         

         

46.166.161[.]93


         

         

46.166.161[.]123;


         

         

46.166.162[.]96


         

         

46.166.162[.]125


         

         

46.166.169[.]34


         

         

83.97.20[.]81


         

         

84.32.188[.]238


         

         

84.32.188[.]57


         

         

89.147.109[.]208


         

         

93.115.25[.]139;


         

         

93.115.26[.]251


         

         

93.115.27[.]148


         

         

108.62.118[.]190


         

         

158.69.36[.]149/span>


         

         

181.231.81[.]239


         

         

185.8.105[.]67


         

         

185.8.105[.]103


         

         

185.8.105[.]112


         

         

185.247.71[.]106


         

         

186.111.136[.]37


         

         

192.53.123[.]202


         


 



MITRE ATT&CK TECHNIQUES



See table 4 for all referenced threat actor tactics and techniques listed in this advisory.




   
   
      
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
      
      
         
         
         
      
      
         
         
         
      
      
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
      
      
         
         
         
      
      
         
         
         
Table 4: Hive Actors ATT&CK Techniques for Enterprise

         

Initial Access


         

         

Technique Title


         

         

ID


         

         

Use


         

         

External Remote Services


         

         

https://attack.mitre.org/versions/v12/techniques/T1133/" style="color:#0563c1; text-decoration:underline">T1133


         

         

Hive actors gain access to victim networks by using single factor logins via RDP, VPN, and other remote network connection protocols.


         

         

Exploit Public-Facing Application


         

         

https://attack.mitre.org/versions/v12/techniques/T1190/" style="color:#0563c1; text-decoration:underline">T1190


         

         

Hive actors gain access to victim network by exploiting the following Microsoft Exchange vulnerabilities: CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, CVE-2021-42321.


         

         

Phishing


         

         

https://attack.mitre.org/versions/v12/techniques/T1566/001/" style="color:#0563c1; text-decoration:underline">T1566.001


         

         

Hive actors gain access to victim networks by distributing phishing emails with malicious attachments.


         

         

Execution


         

         

Technique Title


         

         

ID


         

         

Use


         

         

Command and Scripting Interpreter


         

         

https://attack.mitre.org/versions/v12/techniques/T1059/" style="color:#0563c1; text-decoration:underline">T1059


         

         

Hive actors looks to stop the volume shadow copy services and remove all existing shadow copies via vssadmin on command line or PowerShell.


         

         

Defense Evasion


         

         

Technique Title


         

         

ID


         

         

Use


         

         

Indicator Removal on Host


         

         

https://attack.mitre.org/versions/v12/techniques/T1070/" style="color:#0563c1; text-decoration:underline">T1070


         

         

Hive actors delete Windows event logs, specifically, the System, Security and Application logs.


         

         

Modify Registry


         

         

https://attack.mitre.org/versions/v12/techniques/T1112/" style="color:#0563c1; text-decoration:underline">T1112


         

         

Hive actors set registry values for DisableAntiSpyware and DisableAntiVirus to 1.


         

         

Impair Defenses


         

         

https://attack.mitre.org/versions/v12/techniques/T1562/001/" style="color:#0563c1; text-decoration:underline">T1562


         

         

Hive actors seek processes related to backups, antivirus/anti-spyware, and file copying and terminates those processes to facilitate file encryption.


         

         

Exfiltration


         

         

Technique Title


         

         

ID


         

         

Use


         

         

Transfer Data to Cloud Account


         

         

https://attack.mitre.org/versions/v12/techniques/T1537/" style="color:#0563c1; text-decoration:underline">T1537


         

         

Hive actors exfiltrate data from victims, using a possible combination of Rclone and the cloud storage service Mega.nz<

Let's not argue. Let's network!