Heimdal
article featured image

Contents:

A group of threat actors known as Play ransomware is using a new exploit in Microsoft Exchange to breach servers. The exploit chain bypasses ProxyNotShell URL rewrite mitigations to gain remote code execution (RCE) on vulnerable servers.

The ransomware operators used Remote PowerShell to misuse CVE-2022-41082, the same flaw that ProxyNotShell used to execute arbitrary commands on infected servers.

Cybersecurity researchers discovered that the operators would make requests directly through the Outlook Web Application (OWA) endpoint, an exploit method for Exchange previously undisclosed.

How Threat Actors Exploited the Vulnerability?

Researchers discovered that the vulnerability exploited is probably CVE-2022-41080, a security vulnerability Microsoft classified as critical but which has not yet been used in the wild and which permits remote privilege escalation on Exchange servers.

OWASSRF PoC Exploit (Source: BleepingComputer)

One of the researchers who discovered the bug said that it can be exploited as part of a “chain to RCE Exchange on-premises, Exchange Online, Skype for Business Server (maybe SFB Online+Teams too but can’t find its PowerShell remote endpoint).” It is currently unknown if the threat actors used this Microsoft Exchange attack chain as a zero-day exploit prior to the announcement of remedies.

OWASS PoC Exploit Leaked

On December 14th, a threat actor’s tooling was discovered by a security researcher and leaked online, allowing other organizations to replicate the malicious activity logged in Play ransomware’s attacks. The leak contained a PoC for Play’s Exchange exploit.

It is believed that the proof-of-concept exploit was used to drop remote access tools such as Plink and AnyDesk on compromised servers.

BleepingComputer found that the leaked tooling contained ConnectWise, a remote administration software likely deployed in attacks as well. Businesses having on-premises Microsoft Exchange servers on their network are urged to either enable OWA until the CVE-2022-41080 fix can be implemented or to apply the most recent Exchange security updates (with November 2022 being the minimum patch level).

As per BleepingComputer, the Play ransomware operation was launched in July 2022, and since, dozens of businesses were affected. Recent victims include the Belgian city of Antwerp, H-Hotels, and Argentina’s Judiciary of Córdoba. Currently, there is no legitimate proof that the attack is stealing victims’ data.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

Author Profile

Cristian Neagu

CONTENT EDITOR

linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE