Security News > 2022 > December > Ransomware gang uses new Microsoft Exchange exploit to breach servers

Play ransomware threat actors are using a new exploit chain that bypasses ProxyNotShell URL rewrite mitigations to gain remote code execution on vulnerable servers through Outlook Web Access.
Cybersecurity firm CrowdStrike spotted the exploit while investigating Play ransomware attacks where compromised Microsoft Exchange servers were used to infiltrate the victims' networks.
While ProxyNotShell exploits target CVE-2022-41040, CrowdStrike found that the flaw abused by the newly discovered exploit is likely CVE-2022-41080, a security flaw Microsoft tagged as critical and not exploited in the wild that allows remote privilege escalation on Exchange servers.
One of the researchers who found the bug said that it can be exploited as part of a "Chain to RCE Exchange on-premises, Exchange Online, Skype for Business Server."
While CrowdStrike security researchers were working on developing their own proof-of-concept code to match the log info found while investigating these recent Play ransomware attacks, Huntress Labs threat researcher Dray Agha found and leaked a threat actor's tooling online, on December 14th. The leaked tooling contained a PoC for Play's Exchange exploit, which allowed CrowdStrike to replicate the malicious activity logged in Play ransomware's attacks.
Since its launch in June, dozens of Play ransomware victims have uploaded samples or ransom notes to the ID Ransomware platform to identify what ransomware was used to encrypt their data.
News URL
Related news
- Hackers exploit Cityworks RCE bug to breach Microsoft IIS servers (source)
- DragonRank Exploits IIS Servers with BadIIS Malware for SEO Fraud and Gambling Redirects (source)
- Sarcoma ransomware claims breach at giant PCB maker Unimicron (source)
- FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux (source)
- Microsoft fixes bug causing Windows Server 2025 boot errors (source)
- Microsoft's End of Support for Exchange 2016 and 2019: What IT Teams Must Do Now (source)
- China-Linked Attackers Exploit Check Point Flaw to Deploy ShadowPad and Ransomware (source)
- Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks (source)
- Hackers Exploit Paragon Partition Manager Driver Vulnerability in Ransomware Attacks (source)
- Rubrik rotates authentication keys after log server breach (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-11-09 | CVE-2022-41080 | Unspecified vulnerability in Microsoft Exchange Server 2013/2016/2019 Microsoft Exchange Server Elevation of Privilege Vulnerability | 8.8 |
2022-10-03 | CVE-2022-41040 | Server-Side Request Forgery (SSRF) vulnerability in Microsoft Exchange Server 2013/2016/2019 Microsoft Exchange Server Elevation of Privilege Vulnerability | 0.0 |