FBI warns of persistent threat from Hive ransomware

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) have issued a new joint alert that includes detailed information about known Hive IOCs and identified TTPs.

The ransomware’s initial intrusion method is determined by which affiliate targets the network. Hive actors are known to get first access to victim networks by logging in with a single factor via Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other Remote Network Connection Protocols [T1133].

It is also known that Hive actors bypass multi-factor authentication (MFA) in some cases to gain access to FortiOS servers by exploiting Common Vulnerabilities and Exposures (CVE) CVE-2020-12812. If the actor changes the username case, this vulnerability allows a malicious cyber actor to log in without being prompted for the user’s second authentication factor (FortiToken).

The group uses a ransomware-as-a-service (RaaS) model in which developers create and update malware that can be used by affiliate members for cyberattacks. Single-factor logins for Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote connection protocols are used to gain access. However, the group is also known to bypass multi-factor authentication to exploit known vulnerabilities in FortiOS servers.

According to this statement, Hive actors have successfully exploited more than 1,300 companies worldwide since this month and earned about 100 million dollars in ransom. Furthermore, it is said that the Hive gang sends additional ransomware payloads to victims who refuse to pay the ransom.

The sources for this piece include an article in BleepingComputer.

IT World Canada Staff
IT World Canada Staff
The online resource for Canadian Information Technology professionals.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web