Microsoft says Cuba ransomware threat actors are hacking Microsoft Exchange servers unpatched against a critical server-side request forgery (SSRF) vulnerability also exploited in Play ransomware attacks.
Cloud computing provider Rackspace recently confirmed that Play ransomware used a zero-day exploit dubbed OWASSRF targeting this bug (CVE-2022-41080) to compromise unpatched Microsoft Exchange servers on its network after bypassing ProxyNotShell URL rewrite mitigations.
According to Microsoft, the Play ransomware gang has abused this security flaw since late November 2022. The company advises customers to prioritize CVE-2022-41080 patching to block potential attacks.
Redmond says that this SSRF vulnerability has also been exploited since at least November 17th by another threat group it tracks as DEV-0671 to hack Exchange servers and deploy Cuba ransomware payloads.
Microsoft shared this info in a January update to a private threat analytics report seen by BleepingComputer and available to customers with Microsoft 365 Defender, Microsoft Defender for Endpoint Plan 2, or Microsoft Defender for Business subscriptions.
While Microsoft released security updates to address this SSRF Exchange vulnerability on November 8th and has provided some of its customers with info that ransomware gangs are using the flaw, the advisory is yet to be updated to warn that it’s being exploited in the wild.
Patch your Exchange servers against OWASSRF attacks
The OWASSRF exploit spotted by CrowdStrike security researchers on Rackspaces’s network was also shared online together with some of Play ransomware’s other malicious tools.
This will make it easier for other cybercriminals to adapt Play ransomware’s tooling for their own purposes or create their own custom CVE-2022-41080 exploits, adding to the urgency of patching the vulnerability as soon as possible.
On Tuesday, Cybersecurity and Infrastructure Security Agency (CISA) also ordered Federal Civilian Executive Branch Agencies (FCEB) agencies to patch their systems against this bug by January 31st and strongly urged all organizations to secure their Exchange servers to thwart exploitation attempts.
Organizations with on-premises Microsoft Exchange servers on their networks should deploy the latest Exchange security updates immediately (with November 2022 as the minimum patch level) or disable Outlook Web Access (OWA) until they can apply CVE-2022-41080 patches.
Cuba ransomware behind more than 100 attacks worldwide
The FBI and CISA revealed in a joint security advisory issued last month that the Cuba ransomware gang has raked in more than $60 million in ransoms as of August 2022 after breaching over 100 victims worldwide.
Although this paints a bleak picture, samples submitted by victims to the ID-Ransomware platform analysis show that the gang is not very active, proving that even a somewhat inactive ransomware operation can have a huge impact.
Cuba ransomware sample submissions (ID-Ransomware)
Another FBI advisory from December 2021 warned that the ransomware group had compromised at least 49 organizations from U.S. critical infrastructure sectors.
In both advisories, the FBI strongly urged reporting Cuba ransomware attacks to local FBI field offices and asked victims to share related information with their local FBI Cyber Squad to help identify the ransomware gang’s members and the cybercriminals they’re working with.
While not as prolific as Cuba ransomware and although first spotted a lot more recently, in June 2022, Play ransomware has been quite active and has already hit dozens of victims worldwide, including Rackspace, the German H-Hotels hotel chain, the Belgium city of Antwerp, and Argentina’s Judiciary of Córdoba.