Threat actors utilizing Play ransomware are employing a novel attack chain that avoids ProxyNotShell URL rewriting mitigations. They are doing so to get remote code execution (RCE) on affected systems through Outlook Web Access (OWA).

A cyber security website discovered the flaw named OWASSRF. It was done so while researching Play ransomware operations that leveraged hacked Microsoft Exchange servers to penetrate victims’ networks.

The ransomware operators used Remote PowerShell to exploit CVE-2022-41082. ProxyNotShell also exploited the same bug to execute arbitrary instructions on vulnerable systems.

Online security website – CrowdStrike analyzed the relevant logs and there was no indication of initial access exploitation of CVE-2022-41040.

Furthermore, it revealed a previously unknown Exchange attack mechanism. There were correlating requests that seemed to be performed directly through the Outlook Web Application (OWA) endpoint.

The ProxyNotShell attacks target the CVE-2022-41040 bug. CrowdStrike revealed that the newly discovered exploit ProxyNotShell used a bug that is most likely CVE-2022-41080. It is a security issue that Microsoft has tagged as critical. Moreover, it has not been attacked in the wild which permits remote privilege escalation on Exchange servers.

CVE-2022-41080 was identified and reported by zcgonvh of 360 Noah lab and other security service websites.

According to one of the researchers who found the vulnerability, hackers can exploit this weakness as part of a “chain to RCE Exchange on-premises, Exchange Online, Skype for Business Server. And perhaps SFB Online+Teams too however they cannot find its PowerShell remote endpoint.

Whether hackers were employing this Microsoft Exchange attack chain as a zero-day vulnerability before bug fixes were released, is a mystery.

OWASSRF PoC exploit is public Now

On December 14th, CrowdStrike security researchers were developing their proof-of-concept (PoC) code to match the log information discovered. While investigating these recent Play ransomware attacks, Huntress Labs’ threat researcher discovered and leaked a threat actor’s tooling online. The leaked tooling included a Proof of Concept for Play’s Exchange vulnerability.

CrowdStrike was able to duplicate the malicious activities reported in Play ransomware attacks. They were able to achieve this because of these disclosed tools.

According to CrowdStrike, the proof-of-concept attack was used to install remote access tools such as Plink and Any Desk on infected systems.

Bleeping Computer discovered that the leaked tools included the ConnectWise remote administration software, which was likely used in assaults as well.

Organizations using on-premises Microsoft Exchange servers should deploy the most recent Exchange security updates or deactivate OWA until the CVE-2022-41080 fix is fixed.

The Play ransomware campaign began in June 2022. This is when the first victims began asking for assistance in dealing with the assaults’ aftermath.

Play ransomware was started in June, many Play ransomware victims have utilized the ID Ransomware site. They did so to determine what ransomware was used to encrypt their data.

Play affiliates, unlike most ransomware organizations, leave simple ransom letters with the word PLAY and a contact email address.

As of now, no data leak is associated with this ransomware. Neither there is any indication that any data was taken during the attacks.

Recent victims of Play ransomware affiliates include the German hotel operator H-Hotels, the Belgian city of Antwerp, and Argentina’s Córdoba Judiciary.

How to protect against ransomware and avoid infection

Avoid clicking on links in spam communications or visiting unfamiliar websites. Clicking on phony links can automatically download any potential malware that could harm your operating system.

If you receive a call, text message, or email from an unknown source requesting personal information, do not answer. If you have any worries about the message’s validity, contact the sender right away.

Ransomware can enter your system via email attachments. Open any suspicious-looking attachments. Pay great attention to the sender and double-check that the address is right to ensure the email is trustworthy.

For your system protection avoid connecting unknown USB or other storage media to your computer. As they could be carrying viruses and potentially harm your device.  Cybercriminals might have contaminated the storage media and left it in a public area to attract someone to use it.

Updating apps and operating systems regularly can help protect you from malware. When updating your applications and software, make sure that you are using the most recent security patches. This makes it more difficult for hackers to exploit weaknesses in your system.

To reduce the chance of obtaining ransomware, exclusively use recognized download sources. Avoid downloading applications or media files from unknown resources. For downloading, use only verified and trustworthy websites.

The conscientious usage of public Wi-Fi networks is a prudent anti-ransomware precaution. Your system is more susceptible to cyberattacks while connected to a public Wi-Fi network. To be safe, avoid utilizing public Wi-Fi for important transactions and instead utilize a secure VPN service.