CyberWire Daily - CISA Alert AA22-321A – #StopRansomware: Hive Ransomware. [CISA Cybersecurity Alerts]
Episode Date: November 18, 2022The FBI, CISA, and the Department of Health and Human Services are releasing this alert to disseminate known Hive Ransomware Group indicators of compromise and TTPs identified through FBI investigatio...ns. AA22-321A Alert, Technical Details, and Mitigations Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts. Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide. No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment. U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
This is a CISA cybersecurity alert.
ID number Alpha Alpha two two tack three two one Alpha.
Original release date, November 16th, 2022.
Original release date, November 16, 2022.
The FBI, CISA, and the Department of Health and Human Services are releasing this alert to disseminate known Hive ransomware group indicators of compromise and TTPs identified through FBI investigations.
As of November 2022, Hive ransomware actors have victimized over 1,300 companies worldwide, receiving
approximately $100 million in ransom payments. Hive Ransomware follows the ransomware-as-a-service
model. Hive developers create, maintain, and update the malware, and affiliates conduct
the ransomware attacks. From June 2021 through November 2022, threat actors have used Hive
Ransomware to target a wide range of
businesses and critical infrastructure sectors, including government facilities, communications,
critical manufacturing, information technology, and especially healthcare and public health
organizations. The method of initial intrusion depends on which affiliate targets the network.
Hive actors have gained initial access to victim networks by using single-factor logins via remote
desktop protocol,
virtual private networks, and other remote network connection protocols.
In some cases, Hive actors have bypassed multi-factor authentication with a known vulnerability
that allows malicious cyber actors to log in without a prompt for the user's second authentication factor.
Hive actors have also gained initial access to victim networks by distributing phishing
emails with malicious attachments and by exploiting known vulnerabilities against Microsoft Exchange
servers. The alert documentation linked in the show notes includes these known exploited
vulnerabilities, indicators of compromise, TTPs, and mitigation actions. FBI, CISA, and HHS encourage
organizations to implement the recommendations in the mitigation section of this alert to reduce ATPs, and mitigation actions. FBI, CISA, and HHS encourage organizations
to implement the recommendations
in the mitigation section of this alert
to reduce the likelihood and impact of ransomware incidents.
Victims of ransomware operations
should report the incident
to their local FBI field office or CISA.
To report incidents and anomalous activity
or to request incident response resources
or technical assistance,
contact CISA at report at cisa.gov or call 888-282-0870 or report incidents to your local FBI field office.
This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency,
and edited and adapted for audio by the Cyber Wire as a public service.
Please visit www.cisa.gov to read the full report, which may
include additional details, links, and illustrations. A link to this report can be found in the show notes.
This has been a CISA Cybersecurity Alert.