Ransomware group uses new Microsoft Exchange exploits to hack servers

The Play ransomware threat actor uses a new exploit chain to bypass in order to gain remote code execution on compromised servers via Outlook Web Access (OWA).

CrowdStrike, a cybersecurity company, discovered the exploit (dubbed OWASSRF), while looking into Play ransomware attacks. In these cases compromised Microsoft Exchange servers were used for infiltration of victims’ networks.

Remote PowerShell was used by ransomware to execute arbitrary commands against compromised servers. This exploited the bug that ProxyNotShell also exploited.

CrowdStrike examined the logs in each case and concluded that there was not evidence of CVE-2022-4040 being exploited for first access.” the researchers .

It turned out that the corresponding requests were sent directly to Outlook Web Application (OWA), which indicates an unreported exploit for Exchange.

ProxyNotShell attacks . CrowdStrike discovered that this exploit exploits . This flaw, which Microsoft has rated critical, allows remote privilege escalation of Exchange servers.

OWASSRF PoC exploit (BleepingComputer)

CVE-2022-4080 was reported and discovered by zcgonvh using 360 noah Lab and Q5Ca and nxhoang99 in VcsLab Cyber Security.

The bug it could be used as part of an “chain to RCE Exchange Online on-premises and Exchange Online”, Skype for Business Server, or maybe SFB Online+Teams but cannot find the remote powershell endpoint.

It is not clear at this point if the threat actors used this Microsoft Exchange attack channel as a zero day exploit prior to fixes being released.

Online leakage of OWASSRF PoC exploit

CrowdStrike’s security experts were developing their proof-of-concept code (PoC), to match log information found during the investigation of Play ransomware attack. However, Huntress Labs threat analyst Dray Agha the tooling of a threat actor online on December 14th.

CrowdStrike was able to reproduce the ransomware-related malicious activity by CrowdStrike thanks to the PoC for Play’s Exchange.

CrowdStrike claims that remote access tools like AnyDesk and Plink were dropped on compromised servers by CrowdStrike’s proof-of-concept exploit.

BleepingComputer discovered that Agha’s tooling also contained ConnectWise remote management software. This was most likely used in other attacks.

Organisations that have Microsoft Exchange servers installed on premises are encouraged to install the most recent Exchange security updates. November 2022 is the minimum level of patch. OWA should be disabled until CVE-2022-4080 can be applied.

was launched. The first victims started to seek help in dealing with the fallout of the attacks in the .

Numerous Play ransomware victims uploaded ransom files or ransom notes since June’s launch to help identify the ransomware that encrypted their data.

Play ransomware activity (ID Ransomware)

Play affiliates send simple ransom note with PLAY written on it and an email address.

There is currently no evidence of data theft or data leakage due to ransomware.

The and the were recent victims of Play ransomware.