Malicious ‘Windows.exe’ File Poses Threat to Unpatched Microsoft Exchange Servers

Source: Daniel Rubino / Windows Central

There are few constants in the world. Criminals using ransomware to attack Microsoft products are among them.

Although not as dramatic as the national security-level swap situation that made headlines in 2021, where state-sponsored hackers stole data that experts say could fuel a project of the Chinese government’s secret AI, the landscape of 2022 is also not devoid of drama. .

As researched and reported by the Varonis Forensics Teama threat named Hive is stirring the Exchange pot with ransomware attacks (via ZDNet). Since Varonis first spotted Hive in June 2021, he has seen cybercriminals use the aforementioned ransomware against non-profit organizations, energy providers, healthcare facilities, and more, all over the world.

As far as the stakes of being attacked by Hive go, this is what you can expect from ransomware: it infects your device, takes over your files, then asks you to pay or risks seeing your sensitive data published.

What makes Hive so insidious is that as part of its assault on a device, it uses an attack called “Pass-The-Hash”, which gives it access to domain administrator accounts without needing to crack the password, resulting in an authenticated session. within the network – the basis of the field days against cybercrime. It achieves all this through the delivery of a payload titled “Windows.exe”. If you guessed that the .exe is in fact in no way related to a legitimate instance of Windows, such as Windows 11, you are correct. It’s just bad news from Hive that will leave files encrypted and cut from their rightful owners.

Hive attacks are an active threat to unpatched Exchange servers, which Varonis notes when referring to registered instances of compromise. Servers that don’t have the April and May 2021 security updates are sensitive, so anyone who hasn’t patched yet should get on it.