Security News > 2023 > January > Microsoft: Cuba ransomware hacking Exchange servers via OWASSRF flaw

Microsoft says Cuba ransomware threat actors are hacking Microsoft Exchange servers unpatched against a critical server-side request forgery vulnerability also exploited in Play ransomware attacks.

Cloud computing provider Rackspace recently confirmed that Play ransomware used a zero-day exploit dubbed OWASSRF targeting this bug to compromise unpatched Microsoft Exchange servers on its network after bypassing ProxyNotShell URL rewrite mitigations.

Redmond says that this SSRF vulnerability has also been exploited since at least November 17th by another threat group it tracks as DEV-0671 to hack Exchange servers and deploy Cuba ransomware payloads.

While Microsoft released security updates to address this SSRF Exchange vulnerability on November 8th and has provided some of its customers with info that ransomware gangs are using the flaw, the advisory is yet to be updated to warn that it's being exploited in the wild.

In both advisories, the FBI strongly urged reporting Cuba ransomware attacks to local FBI field offices and asked victims to share related information with their local FBI Cyber Squad to help identify the ransomware gang's members and the cybercriminals they're working with.

While not as prolific as Cuba ransomware and although first spotted a lot more recently, in June 2022, Play ransomware has been quite active and has already hit dozens of victims worldwide, including Rackspace, the German H-Hotels hotel chain, the Belgium city of Antwerp, and Argentina's Judiciary of Córdoba.

News URL

https://www.bleepingcomputer.com/news/security/microsoft-cuba-ransomware-hacking-exchange-servers-via-owassrf-flaw/