Play ransomware strikes again - protect your Exchange servers now to avoid the fate of Rackspace

Continue reading

A third-party software flaw inside one of Japan's largest telcos exposed login credentials for up to 14.2 million email accounts across six ISPs. The passwords? Some were hashed. Some may not have been
Microsoft Exchange servers have been under attack by the Play ransomware operation, which recently took down the hosted Microsoft Exchange environments of Texas-based cloud computing provider Rackspace. Last month, cybersecurity firm Crowdstrike released a report discussing a new exploit utilized by the ransomware group to infiltrate Microsoft Exchange servers and access a victim's networks.
OWASSRF, the exploit in question, enabled the attackers to circumvent the ProxyNotShell URL rewrite protections offered by Microsoft by focusing on a crucial vulnerability (CVE-2022-41080) that allows for remote privilege escalation on Exchange servers. They also managed to gain remote code execution on vulnerable servers by abusing CVE-2022-41082, the same vulnerability exploited in ProxyNotShell attacks.
Rackspace has confirmed that the Play ransomware operation was responsible for the recent cyberattack on its hosted Microsoft Exchange environments. This follows a report last month from cybersecurity firm Crowdstrike, which described a new exploit used by the ransomware group to compromise Microsoft Exchange servers and gain access to a victim's networks. The exploit, called OWASSRF, allowed the attackers to bypass the ProxyNotShell URL rewrite mitigations provided by Microsoft by targeting a critical flaw (CVE-2022-41080) that allows remote privilege escalation on Exchange servers. They also managed to gain remote code execution on vulnerable servers by exploiting CVE-2022-41082, the same bug exploited in ProxyNotShell attacks. Rackspace's Chief Security Officer, Karen O'Reilly-Smith, confirmed that the OWASSRF exploit was found on its network and that Play ransomware was behind the ransomware attack. She also thanked Crowdstrike for their thorough work in discovering this zero-day exploit and stated that Rackspace will be sharing more detailed information with customers and peers in the security community to better defend against these types of exploits in the future.
Since the ransomware attack on Rackspace's Hosted Exchange platform, the company has offered customers free licenses to move their email to Microsoft 365. Rackspace is also working on providing affected users with access to their mailboxes, which contain Hosted Exchange email data from before December 2, through the customer portal using an automated queue.
The Play ransomware operation was first detected in June 2022 and since then, several victims have submitted ransom notes and samples to the ID Ransomware platform to determine which ransomware encrypted their files. Unlike other ransomware operations, Play ransomware operators leverage email as a negotiation channel and do not provide victims with a link to a ToR negotiations page in ransom notes left on encrypted systems. However, they are infamous for stealing data from victims' networks before deploying ransomware payloads and will threaten to leak it online if the ransom is not yet paid.
Crowdstrike reported that the OWASSRF exploit was used to drop remote access tools such as Plink and AnyDesk on Rackspace-compromised servers.
Additionally, BleepingComputer discovered that the ConnectWise remote administration software, which was perhaps being deployed in the attack as well, was also included in the toolkit Agha had disclosed.
To secure your Exchange servers against Play ransomware attacks, it is recommended that organizations with on-premises Microsoft Exchange servers on their network must apply the most recent Exchange security updates rightaway (with November 2022 as the minimum patch level) or deactivate Outlook Web Access (OWA) until patches for CVE-2022-41080 can be applied.
Additionally, it is imperative to ensure that all software and systems are up to date with the latest security patches and updates to prevent vulnerabilities from being actively exploited. Regular backups should also be conducted to make sure that important data can be recovered in the event of a ransomware attack. It is recommended to implement security measures such as firewalls, antivirus software, and intrusion detection systems to prevent unauthorized access to your network. Employee education and training on cybersecurity best practices can also help to prevent accidental clicks on malicious links or attachments that could lead to a ransomware attack.
It is crucial for organizations to take proactive measures to protect their systems and data from ransomware attacks. By following best practices for cybersecurity and staying up to date on the latest threats and vulnerabilities, businesses can better defend against the threat of ransomware and other cyber threats.

Hackers exploited a four-year-old credential in Klue's systems to steal customer data, impacting LastPass and several cybersecurity firms in a supply chain breach