November 18, 2022

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) have issued a new joint alert that includes detailed information about known Hive IOCs and identified TTPs.

The ransomware’s initial intrusion method is determined by which affiliate targets the network. Hive actors are known to get first access to victim networks by logging in with a single factor via Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other Remote Network Connection Protocols [T1133].

It is also known that Hive actors bypass multi-factor authentication (MFA) in some cases to gain access to FortiOS servers by exploiting Common Vulnerabilities and Exposures (CVE) CVE-2020-12812. If the actor changes the username case, this vulnerability allows a malicious cyber actor to log in without being prompted for the user’s second authentication factor (FortiToken).

The group uses a ransomware-as-a-service (RaaS) model in which developers create and update malware that can be used by affiliate members for cyberattacks. Single-factor logins for Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote connection protocols are used to gain access. However, the group is also known to bypass multi-factor authentication to exploit known vulnerabilities in FortiOS servers.

According to this statement, Hive actors have successfully exploited more than 1,300 companies worldwide since this month and earned about 100 million dollars in ransom. Furthermore, it is said that the Hive gang sends additional ransomware payloads to victims who refuse to pay the ransom.

The sources for this piece include an article in BleepingComputer.