Microsoft: Cuba ransomware hacking Exchange servers via OWASSRF flaw

by | Jan 13, 2023 | News

Premium Content

Patreon

Subscribe to Patreon to watch this episode.

Reading Time: 3 Minutes

Microsoft says Cuba ransomware threat actors are hacking Microsoft Exchange servers unpatched against a critical server-side request forgery (SSRF) vulnerability also exploited in Play ransomware attacks.

 

Cloud computing provider Rackspace recently confirmed that Play ransomware used a zero-day exploit dubbed OWASSRF targeting this bug (CVE-2022-41080) to compromise unpatched Microsoft Exchange servers on its network after bypassing ProxyNotShell URL rewrite mitigations.

According to Microsoft, the Play ransomware gang has abused this security flaw since late November 2022. The company advises customers to prioritize CVE-2022-41080 patching to block potential attacks.

Redmond says that this SSRF vulnerability has also been exploited since at least November 17th by another threat group it tracks as DEV-0671 to hack Exchange servers and deploy Cuba ransomware payloads.

Microsoft shared this info in a January update to a private threat analytics report seen by BleepingComputer and available to customers with Microsoft 365 Defender, Microsoft Defender for Endpoint Plan 2, or Microsoft Defender for Business subscriptions.

While Microsoft released security updates to address this SSRF Exchange vulnerability on November 8th and has provided some of its customers with info that ransomware gangs are using the flaw, the advisory is yet to be updated to warn that it’s being exploited in the wild.

See Also: So you want to be a hacker?
Complete Offensive Security and Ethical Hacking Course

Patch your Exchange servers against OWASSRF attacks

 

The OWASSRF exploit spotted by CrowdStrike security researchers on Rackspaces’s network was also shared online together with some of Play ransomware’s other malicious tools.

This will make it easier for other cybercriminals to adapt Play ransomware’s tooling for their own purposes or create their own custom CVE-2022-41080 exploits, adding to the urgency of patching the vulnerability as soon as possible.

On Tuesday, Cybersecurity and Infrastructure Security Agency (CISA) also ordered Federal Civilian Executive Branch Agencies (FCEB) agencies to patch their systems against this bug by January 31st and strongly urged all organizations to secure their Exchange servers to thwart exploitation attempts.

Organizations with on-premises Microsoft Exchange servers on their networks should deploy the latest Exchange security updates immediately (with November 2022 as the minimum patch level) or disable Outlook Web Access (OWA) until they can apply CVE-2022-41080 patches.

Cuba ransomware behind more than 100 attacks worldwide

 

The FBI and CISA revealed in a joint security advisory issued last month that the Cuba ransomware gang has raked in more than $60 million in ransoms as of August 2022 after breaching over 100 victims worldwide.

Although this paints a bleak picture, samples submitted by victims to the ID-Ransomware platform analysis show that the gang is not very active, proving that even a somewhat inactive ransomware operation can have a huge impact.

 

Cuba ransomware ID-Ransomware sample submissions
Cuba ransomware sample submissions (ID-Ransomware)

 

Another FBI advisory from December 2021 warned that the ransomware group had compromised at least 49 organizations from U.S. critical infrastructure sectors.

In both advisories, the FBI strongly urged reporting Cuba ransomware attacks to local FBI field offices and asked victims to share related information with their local FBI Cyber Squad to help identify the ransomware gang’s members and the cybercriminals they’re working with.

While not as prolific as Cuba ransomware and although first spotted a lot more recently, in June 2022, Play ransomware has been quite active and has already hit dozens of victims worldwide, including Rackspace, the German H-Hotels hotel chain, the Belgium city of Antwerp, and Argentina’s Judiciary of Córdoba.

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!


Information Security Solutions

Find out how Pentesting Services can help you.


Join our Community

Share This