Get in Touch
The Play ransomware group has been observed attacking unpatched Microsoft Exchange servers through a combination of exploits that researchers are calling OWASSRF.
The attack chain exploits the same authenticated remote code execution (RCE; CVE-2022-41082) used in the ProxyNotShell attack, patched in November but targeted via an SSRF (CVE-2022-41080) in the Outlook Web Access (OWA) endpoint rather than the Autodiscover endpoint. By doing this, the attack bypasses URL rewrite mitigations that Microsoft previously recommended and provided through their Emergency Mitigation Service.
The exploit code has been published by researchers and is now available for other threat actors to use.
A malicious remote attacker can execute PowerShell on an unpatched Exchange server.
Exchange Server 2019, 2016, and 2013 without the 8th November patch.
Containment, Mitigations & Remediations
KB5019758 contains details of the update.
Customers unable to update Exchange immediately should disable OWA until the patch is applied.
Microsoft recommends Exchange on-premise owners disable remote PowerShell access for non-admin users.
Indicators of Compromise
Exploitation attempts will show in IIS logs as posts to the following OWA URL:
Play is a double-extortion ransomware group and has been linked to the Hive and Nokoyawa groups based on tactics, techniques and procedures (TTPs), victimology and attack chain commonalities.
All three are known to target victims in Latin American countries.
T1210 – Exploitation of Remote Services
T1068 – Exploitation for Privilege Escalation