Play ransomware threat actors are using a new exploit chain that bypasses ProxyNotShell URL rewrite mitigations to gain remote code execution (RCE) on vulnerable servers through Outlook Web Access (OWA).
Cybersecurity firm CrowdStrike spotted the exploit (dubbed OWASSRF) while investigating Play ransomware attacks where compromised Microsoft Exchange servers were used to infiltrate the victims’ networks.
To execute arbitrary commands on compromised servers, the ransomware operators leveraged Remote PowerShell to abuse the CVE-2022-41082, the same bug exploited by ProxyNotShell.
“In each case, CrowdStrike reviewed the relevant logs and determined there was no evidence of exploitation of CVE-2022-41040 for initial access,” the researchers said.
“Instead, it appeared that corresponding requests were made directly through the Outlook Web Application (OWA) endpoint, indicating a previously undisclosed exploit method for Exchange.”
While ProxyNotShell exploits target CVE-2022-41040, CrowdStrike found that the flaw abused by the newly discovered exploit is likely CVE-2022-41080, a security flaw Microsoft tagged as critical and not exploited in the wild that allows remote privilege escalation on Exchange servers.
CVE-2022-41080 was discovered and reported by zcgonvh with 360 noah lab and rskvp93, Q5Ca, and nxhoang99 with VcsLab of Viettel Cyber Security.
One of the researchers who found the bug said that it can be exploited as part of a “chain to RCE Exchange on-premises, Exchange Online, Skype for Business Server (maybe SFB Online+Teams too but can’t find its powershell remote endpoint).”
At this time it is unclear whether the threat actors were abusing this Microsoft Exchange attack chain as a zero-day exploit before fixes were released.
OWASSRF PoC exploit leaked online
While CrowdStrike security researchers were working on developing their own proof-of-concept (PoC) code to match the log info found while investigating these recent Play ransomware attacks, Huntress Labs threat researcher Dray Agha found and leaked a threat actor’s tooling online, on December 14th.
The leaked tooling contained a PoC for Play’s Exchange exploit, which allowed CrowdStrike to replicate the malicious activity logged in Play ransomware’s attacks.
CrowdStrike believes that the proof-of-concept exploit was used to drop remote access tools such as Plink and AnyDesk on compromised servers.
BleepingComputer also found that the tooling leaked by Agha contained the ConnectWise remote administration software, which was likely deployed in attacks as well.
Organizations with on-premises Microsoft Exchange servers on their network are advised to apply the latest Exchange security updates (with November 2022 being the minimum patch level) or disable OWA until the CVE-2022-41080 patch can be applied.
The Play ransomware operation launched in June 2022, when the first victims began reaching out for help to deal with the attacks’ fallout in the BleepingComputer forums.
Since its launch in June, dozens of Play ransomware victims have uploaded samples or ransom notes to the ID Ransomware platform to identify what ransomware was used to encrypt their data.
Unlike most ransomware operations, Play affiliates drop simple ransom notes with the word PLAY and a contact email address.
Currently, there is no data leak linked to this ransomware or any indication that any data is stolen during attacks.
Recent victims hit by Play ransomware affiliates include the German H-Hotels hotel chain, the Belgium city of Antwerp, and Argentina’s Judiciary of Córdoba.