HQ/EMEAFind out how we can help your business
The Play ransomware group uses a new exploit chain that could avoid ProxyNotShell URL rewrite mitigations to acquire remote code execution on compromised servers via Outlook Web Access.
Based on reports, the researchers spotted the new exploit called OWASSRF while studying the Play ransomware tactics in which infected actors utilised MS Exchange servers to breach a victim’s network.
The ransomware actors exploited a Remote PowerShell to abuse the CVE-2022-41082 flaw and to execute arbitrary commands on the impacted servers. The group has abused the same flaw used by the ProxyNotShell operators.
The researchers also explained that they had followed up a review of the relevant logs and confirmed no proof of exploitation of each case of CVE-2022-41040 vulnerability for the hacker’s initial access.
However, the following requests were created by the actors directly through the Outlook Web Application endpoint. This detail implies that a previous unidentified exploit strategy existed on the MS Exchange.
The Play ransomware used a different exploit other than ProxyNotShell.
The researchers discovered that the Play ransomware abused a newly discovered exploit, which is not identical to the ProxyNotShell flaw. Investigations revealed a new security vulnerability in Microsoft was classified as critical and has not been exploited in the wild. However, this enables users to gain remote privilege escalations on Exchange servers.
This new flaw is CVE-2022-41080, discovered and reported by several researchers to different cybersecurity experts. One of the researchers who found the flaw explained that it could be abused as part of a chain to RCE Exchange on-premises.
It is unclear if the threat actors are already abusing this MS Exchange attack chain as a zero-day exploit before admins release a patch. The Play ransomware only drops simple ransom notes with an appended PLAY and a contact email address, which is not common among other ransomware operators.
There is still no proof of any data exposure linked to the ransomware group or any indication that there was stolen information during the attacks. However, researchers should address the current exploit before other threat groups use it in their attacks.
