Microsoft: Cuba ransomware hacking Exchange Servers via OWASSRF flaw

Microsoft claims that Cuban ransomware threats actors have been hacking Microsoft Exchange servers, leaving no protection against the critical server-side request fogery vulnerability (SSRF), also exploited by Play ransomware attacks.

Rackspace, a cloud computing company, recently Play ransomware exploited a zero day exploit called OWASSRF to attack this bug ( ), and compromised unpatched Microsoft Exchange servers after bypassing .

Microsoft claims that the Play ransomware gang exploited this security hole since November 2022. Customers are advised to patch CVE-2022-4080 to prevent potential attacks.

Redmond claims that the SSRF vulnerability was also exploited by DEV-0671, another threat group it monitors. This group used this opportunity to hack Exchange servers as well as deploy ransomware payloads from Cuba.

This information was shared by Microsoft in a January Update to a Private Threat Analytics Report seen by BleepingComputer. It is available for customers who subscribe to Microsoft Defender for Business, Microsoft Defender for Endpoint Plan 2 or Microsoft 365 Defender.

Microsoft has released security updates on the SSRF Exchange vulnerability and provided information to some customers that ransomware gangs were using it, still needs to be updated.

Protect your Exchange Servers from OWASSRF Attacks

CrowdStrike’s security experts on Rackspaces’s network spotted the OWASSRF exploit along with other ransomware malware.

It will be easier for cybercriminals, such as Play ransomware users to modify the tooling or to create custom CVE-2022-4080 exploits. This adds to the urgency to patch the vulnerability.

Cybersecurity and Infrastructure Security Agency, (CISA), also issued Tuesday’s order to Federal Civilian Executive Branch Agencies FCEB agencies to fix their systems against the bug by January 31, and all organisations to protect their Exchange servers in an effort to stop exploitation attempts.

On-premises Microsoft Exchange Servers should be updated immediately.

Cuba ransomware is behind over 100 global attacks

In a joint security advisory, the FBI and CISA that Cuba’s ransomware gang had raked in over $60,000,000 in ransoms by August 2022. They have already breached more than 100 victims around the world.

This is a grim picture. However, victims submitted samples to ID-Ransomware platform for analysis. They showed that they are not active and that even an inactive ransomware operation could have huge consequences.

Cuba ransomware sample submissions (ID-Ransomware)

A separate FBI advisory was issued in December 2021 warning that ransomware had .

Both advisories emphasized the importance of reporting ransomware attacks in Cuba to FBI field offices. They also asked that victims share information with the FBI Cyber Squad, to assist with identifying the members of the ransomware gang and cybercriminals.

Although Play ransomware is not as widespread as Cuba ransomware, it was first discovered in June 2022. It has since been attributed to dozens of victims, including and the . The and .