Play ransomware has been a significant risk to companies and organizations for a while now, and the risk actors behind it are continuously discovering new methods to infiltrate and compromise methods. In a latest growth, cybersecurity agency CrowdStrike found that the Play ransomware risk actors are utilizing a brand new Microsoft Change exploit known as OWASSRF to achieve distant entry to servers and ship malicious software program.
The exploit permits risk actors to bypass ProxyNotShell URL rewrite mitigations and achieve distant code execution (RCE) on susceptible servers by way of Outlook Internet Entry (OWA). To execute arbitrary instructions on compromised servers, the ransomware operators leverage Distant PowerShell to abuse the CVE-2022-41082 vulnerability.
This new exploit chain is especially regarding as a result of it targets the Microsoft Change server, a vital element for a lot of organizations. This server manages e mail communications inside a company, and a compromise of this server can have far-reaching penalties. Utilizing the OWASSRF exploit chain, the risk actors behind Play ransomware can infiltrate the sufferer’s community by way of the Change server, probably permitting them to achieve entry to delicate knowledge and disrupt operations.
How can organizations shield themselves from the OWASSRF exploit chain?
Microsoft rated the CVE-2022-41082 vulnerability as “vital” as a result of it allowed for distant privilege escalation on change servers. The corporate additionally acknowledged that they’d no proof of the bug being exploited within the wild. Due to this fact, it was troublesome to find out if anybody had been exploiting the flaw as a zero-day earlier than the patch turned accessible.
To guard in opposition to the OWASSRF exploit chain, Microsoft has suggested organizations with on-premises Change servers to use at the very least the November 2022 cumulative replace. If this isn’t doable, they advocate disabling OWA as a precautionary measure.
Moreover, Microsoft will completely disable Change On-line primary authentication in early January 2023 to guard its prospects. “Starting in early January, we are going to ship Message Heart posts to affected tenants about 7 days earlier than we make the configuration change to disable Fundamental auth use for protocols in scope,” the corporate mentioned.