Analysis
Attacks and Vulnerabilities
CISA
Critical infrastructure
Medical
News

CISA, FBI, HHS issue warning of Hive RaaS hackers continuing to target critical infrastructure, especially HPH sector

November 18, 2022
CISA, FBI, HHS issue warning of Hive RaaS hackers continuing to target critical infrastructure, especially HPH sector

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) rolled out on Thursday a joint cybersecurity advisory (CSA) to disseminate known Hive IOCs (indicators of compromise) and TTPs (tactics, techniques, and procedures) identified through FBI investigations as recently as this month. 

“From June 2021 through at least November 2022, threat actors have used Hive ransomware to target a wide range of businesses and critical infrastructure sectors, including Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health (HPH). The method of initial intrusion will depend on which affiliate targets the network,” the CSA disclosed. “The advisory said that as of November 2022, Hive ransomware actors have victimized over 1,300 companies worldwide, receiving approximately US$100 million in ransom payments,” according to FBI information.

The advisory identified that the Hive ransomware follows the ransomware-as-a-service (RaaS) model in which developers create, maintain, and update the malware, and affiliates conduct the ransomware attacks.

Based on these details, the agencies recommend that organizations implement the recommendations in the mitigations section of the CSA to reduce the likelihood and impact of ransomware incidents. Victims of ransomware operations should report the incident to their local FBI field office or CISA. The CSA suggests that organizations prioritize remediating known exploited vulnerabilities, enable and enforce multi-factor authentication with strong passwords, close unused ports and remove any application not deemed necessary for day-to-day operations.

Last month, there were news reports that the Hive RaaS group has begun leaking data stolen from India’s Tata Power Energy Company. Less than two weeks back, the hacker group claimed responsibility for a cyber attack against Tata Power that was confirmed by the company. In screenshots, Hive operators posted data they claim to have stolen from Tata Power, indicating that the ransom negotiations failed. Operators behind the Hive ransomware group began leaking data allegedly stolen from Tata Power on their leak site.

The CSA added that Hive hackers have gained initial access to victim networks by using single-factor logins using Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote network connection protocols. “In some cases, Hive actors have bypassed multifactor authentication (MFA) and gained access to FortiOS servers by exploiting Common Vulnerabilities and Exposures (CVE). This vulnerability enables a malicious cyber actor to log in without a prompt for the user’s second authentication factor (FortiToken) when the actor changes the case of the username.” 

Additionally, Hive hackers have also gained initial access to victim networks by distributing phishing emails with malicious attachments and by exploiting the vulnerabilities against Microsoft Exchange servers, such as the Microsoft Exchange Server Security Feature Bypass Vulnerability, Microsoft Exchange Server Remote Code Execution Vulnerability, and the Microsoft Exchange Server Privilege Escalation Vulnerability. 

After gaining access, Hive ransomware attempts to evade detention by executing processes to identify processes related to backups, antivirus/anti-spyware, and file copying and then terminating those processes to facilitate file encryption. It also stops the volume shadow copy services and removes all existing shadow copies on the command line or using PowerShell. It also deletes Windows event logs, specifically the system, security, and application logs. 

Prior to encryption, Hive ransomware removes virus definitions and disables all portions of Windows Defender and other common antivirus programs in the system registry, the CSA disclosed. Hive hackers exfiltrate data likely using a combination of Rclone and the cloud storage service. In addition to its capabilities against the Microsoft Windows operating system, Hive ransomware has known variants for Linux, VMware ESXi, and FreeBSD.

The CSA also disclosed that some victims reported receiving phone calls or emails from Hive actors directly to discuss payment. “The ransom note also threatens victims that a public disclosure or leak site accessible on the TOR site, ‘HiveLeaks,’ contains data exfiltrated from victim organizations who do not pay the ransom demand. Additionally, Hive actors have used anonymous file-sharing sites to disclose exfiltrated data.”

It also added that once the victim organization contacts Hive hackers on the live chat panel, Hive actors communicate the ransom amount and the payment deadline. “Hive actors negotiate ransom demands in U.S. dollars, with initial amounts ranging from several thousand to millions of dollars. Hive actors demand payment in Bitcoin. Hive actors have been known to reinfect—with either Hive ransomware or another ransomware variant—the networks of victim organizations who have restored their network without making a ransom payment,” the advisory revealed. 

The FBI, CISA, and HHS recommend organizations, particularly in the HPH sector, verify that Hive hackers no longer have access to the network, install updates for operating systems, software, and firmware as soon as they are released, and prioritize patching VPN servers, remote access software, virtual machine software, and known exploited vulnerabilities. 

Additionally, organizations must consider leveraging a centralized patch management system to automate and expedite the process and requiring phishing-resistant MFA for as many services as possible—particularly for webmail, VPNs, accounts that access critical systems, and privileged accounts that manage backups.

The CSA also called upon organizations to maintain offline backups of data, and regularly maintain backup and restoration. By instituting this practice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data. It also suggests ensuring all backup data is encrypted, immutable, and covers the entire organization’s data infrastructure. Furthermore, organizations must ensure that their backup data is not already infected, and must monitor cyber threat reporting regarding the publication of compromised VPN login credentials and change passwords/settings if applicable.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow's emergency detection systems
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow’s emergency detection systems
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations