Skip to main content

Malicious 'Windows.exe' file poses threat to unpatched Microsoft Exchange servers

Surface Laptop 4 Amd 2021 Keyboard Lights
Surface Laptop 4 Amd 2021 Keyboard Lights (Image credit: Daniel Rubino / Windows Central)

What you need to know

  • Microsoft Exchange Server issues in early 2021 led to threat actors absconding with valuable U.S.-based private and public sector data, resulting in the U.S. government getting involved in the security situation.
  • Though not as dramatic as 2021's saga, Exchange is once again in the spotlight thanks to Hive ransomware.
  • Hive has been exploiting unpatched Exchange server vulnerabilities in order to deploy ransomware and hold data hostage.

There are few constants in the world. Criminals utilizing ransomware to attack Microsoft products is one of them.

Though not as dramatic as the national-security-tier Exchange situation that dominated headlines in 2021, wherein state-sponsored hackers pilfered data that experts believe may be fuel for a secretive Chinese government AI project, the 2022 landscape isn't devoid of drama either.

As researched and reported by the Varonis Forensics Team, a threat named Hive is stirring the Exchange pot with ransomware attacks (via ZDNet). Since Varonis first spotted Hive in June 2021, it has seen cybercriminals use the aforementioned ransomware against nonprofits, energy providers, healthcare institutions, and more all across the world.

When it comes to the stakes of being attacked by Hive, it's what you might expect from ransomware: It'll infect your device, get ahold of your files, then demand you either pay up or risk seeing your sensitive data get published.

What makes Hive so insidious is that, as part of its assault on a device, it uses an attack called "Pass-The-Hash," which gives it access to domain admin accounts without the need for password cracking, resulting in an authenticated session within the network — the foundation for cybercrime field days. It achieves all of this through the delivery of a payload labeled "Windows.exe." If you guessed that the .exe isn't, in fact, in any way related to a legitimate instance of Windows, such as Windows 11, you'd be correct. It's nothing but bad news from Hive that will leave files encrypted and cut off from their rightful owners.

Hive attacks are an active threat to unpatched Exchange servers, which Varonis notes when referencing recorded instances of compromise. Servers that don't have the April and May 2021 security updates are susceptible, so anyone who's yet to patch up should get on that.

Robert Carnevale is the News Editor for Windows Central. He's a big fan of Kinect (it lives on in his heart), Sonic the Hedgehog, and the legendary intersection of those two titans, Sonic Free Riders. He is the author of Cold War 2395. Have a useful tip? Send it to robert.carnevale@futurenet.com.