Cybercriminals from the Play ransomware group carry out computer attacks aimed at companies equipped with a Microsoft Exchange server. To compromise the server, hackers use a new exploit dubbed OWASSRF, this exploit is linked to a security patched in November 2022 by Microsoft.
The CrowdStrike company conducted investigations into this attacks where the Exchange server was compromised and used to access the target infrastructure.
This exploit has been called “OWASSRF” and which consist in exploit the CVE-2022-41082 via Remote Powershell. This is the same vulnerability exploited with the ProxyNotShell attacks.
The difference with the OWASSRF exploit : the hackers exploite another & more recent vulnerability to attack Exchange servers: CVE-2022-41080. According to Microsoft, this is a critical flaw but it has not been exploited in attacks. Except that now it is.
With this exploit, hacker deploy some softs for remote control like Anydesk etc…
AFFECTED SYSTEMS:
- Microsoft Exchange Server 2013 all versions
- Microsoft Exchange Server 2016 all versions
- Microsoft Exchange Server 2019 all versions
OWASSRF REMEDIATION:
Microsoft already published an update, you have to update your Exchange Server, it must have at least the November 2022 updates for the CVE-2022-41080 vulnerability to be patched.
If you can’t update your servers, you must disable access to OWA because it is the entry point used by attackers to target mail servers.
For people looking for more information about play ransomware infection routine:
https://original-network.com/play-ransomware-infection-routine/
Cheers
