September 30, 2023

Play ransomware group is using a new exploit in Microsoft Exchange to breach servers. The exploit chain bypasses ProxyNotShell URL rewrite mitigations to gain RCE on vulnerable servers.

Threat actors exploit CVE-2022-41082 using Remote PowerShell. The same flaws that ProxyNotShell used to execute arbitrary commands on infected servers.

The threat actor makes requests directly through the Outlook Web Application endpoint, an exploit method for Exchange previously undisclosed.

Advertisements

The exploited vulnerability probably CVE-2022-41080, a security vulnerability Microsoft classified as critical but which has not yet been used in the wild and which permits remote privilege escalation on Exchange servers.

This flaw can be exploited as part of a chain to RCE Exchange on-premises, Exchange Online, Skype for Business Server. It is currently unknown if the threat actors used this Microsoft Exchange attack chain as a zero-day exploit prior to the announcement of remedies.

A working PoC was leaked online, and the exploit was used to drop remote access tools such as Plink and AnyDesk on compromised servers. The leaked PoC contains a remote admin tool, and ConnectWise that is deployed during the attack.

Advertisements

Since the launch from July 2022, it has affected dozens of victims. Recent victims include the Belgian city of Antwerp, H-Hotels, and Argentina’s Judiciary of Córdoba.

Tags:

Leave a Reply

You may have missed

Progress issues Patches for Critical WS_FTP Flaws

September 29, 2023

NIST Releases SP 800-82r3 guide for OT

September 29, 2023

Cisco Semi-annual Security Advisory Summary

September 29, 2023

BlackTech Havoc’s Organizations with Cisco Router Bug

September 29, 2023

Google fixes fifth Zeroday bug in Chrome

September 28, 2023

OpenSea NFT suffers a Breach

September 28, 2023
%d bloggers like this: