Threat actors affiliated with a ransomware strain known as Play are leveraging a never-before-seen exploit chain that bypasses blocking rules for ProxyNotShell flaws in Microsoft Exchange Server to achieve remote code execution (RCE) through Outlook Web Access (OWA).
“The new exploit method bypasses URL rewrite mitigations for the Autodiscover endpoint,” CrowdStrike researchers Brian Pitchford, Erik Iker, and Nicolas Zilio said in a technical write-up published Tuesday.
Play ransomware, which first surfaced in June 2022, has been revealed to adopt many tactics employed by other ransomware families such as Hive and Nokoyawa, the latter of which upgraded to Rust in September 2022.
The cybersecurity company’s investigations into several Play ransomware intrusions found that initial access to the target environments was not achieved by directly exploiting CVE-2022-41040, but rather through the OWA endpoint.
Dubbed OWASSRF, the technique likely takes advantage of another critical flaw tracked as CVE-2022-41080 (CVSS score: 8.8) to achieve privilege escalation, followed by abusing CVE-2022-41082 for remote code execution.
images from Hacker News