Play ransomware group is using a new exploit in Microsoft Exchange to breach servers. The exploit chain bypasses ProxyNotShell URL rewrite mitigations to gain RCE on vulnerable servers.
Threat actors exploit CVE-2022-41082 using Remote PowerShell. The same flaws that ProxyNotShell used to execute arbitrary commands on infected servers.
The threat actor makes requests directly through the Outlook Web Application endpoint, an exploit method for Exchange previously undisclosed.
The exploited vulnerability probably CVE-2022-41080, a security vulnerability Microsoft classified as critical but which has not yet been used in the wild and which permits remote privilege escalation on Exchange servers.
This flaw can be exploited as part of a chain to RCE Exchange on-premises, Exchange Online, Skype for Business Server. It is currently unknown if the threat actors used this Microsoft Exchange attack chain as a zero-day exploit prior to the announcement of remedies.
A working PoC was leaked online, and the exploit was used to drop remote access tools such as Plink and AnyDesk on compromised servers. The leaked PoC contains a remote admin tool, and ConnectWise that is deployed during the attack.
Since the launch from July 2022, it has affected dozens of victims. Recent victims include the Belgian city of Antwerp, H-Hotels, and Argentina’s Judiciary of Córdoba.