The cyber criminals are working with a new ransomware called Play, which has only been known since the summer of this year. They use a new exploit chain in their attacks to gain remote code execution on vulnerable servers via Outlook Web Access (OWA). This is reported by the online magazine Bleeding computer.
discovered that Cybersecurity company CrowdStrike the exploit called OWASSRF. Compromised Microsoft Exchange servers are used to infiltrate victims’ networks.
Remote PowerShell exploited
The ransomware gang then uses Remote PowerShell to execute arbitrary commands on the compromised servers. The criminals make use of the CVE-2022-41082 vulnerability, which bypasses the previous Exchange ProxyNotShell mitigation measures for security. The analysis of the attacks showed that the corresponding requests were made directly via the Outlook Web Application (OWA) endpoint, which indicates a previously unknown exploit method for Exchange, the security researchers explained. One of the researchers who found the flaw said that it can be exploited as part of a “chain to leverage Exchange on-premises, Exchange Online, Skype for Business Server for remote code execution”.
It is currently unclear whether threat actors exploited the Exchange attack chain as a zero-day exploit before Microsoft was able to release fixes. Organizations with on-premises Microsoft Exchange servers in their network are recommended to apply the latest Exchange security updates (with November 2022 as the minimum patch level) or disable OWA until patch CVE-2022-41080 can be applied.
Download RogueKiller – Detect & Remove Malware
Download Malwarebytes Premium, protection against malware
See also: