Microsoft says Cuba ransomware menace actors are hacking Microsoft Alternate servers unpatched in opposition to a important server-side request forgery (SSRF) vulnerability additionally exploited in Play ransomware assaults.
Cloud computing supplier Rackspace not too long ago confirmed that Play ransomware used a zero-day exploit dubbed OWASSRF focusing on this bug (CVE-2022-41080) to compromise unpatched Microsoft Alternate servers on its community after bypassing ProxyNotShell URL rewrite mitigations.
In line with Microsoft, the Play ransomware gang has abused this safety flaw since late November 2022. The corporate advises clients to prioritize CVE-2022-41080 patching to dam potential assaults.
Redmond says that this SSRF vulnerability has additionally been exploited since no less than November seventeenth by one other menace group it tracks as DEV-0671 to hack Alternate servers and deploy Cuba ransomware payloads.
Microsoft shared this information in a January replace to a personal menace analytics report seen by BleepingComputer and out there to clients with Microsoft 365 Defender, Microsoft Defender for Endpoint Plan 2, or Microsoft Defender for Enterprise subscriptions.
Whereas Microsoft launched safety updates to deal with this SSRF Alternate vulnerability on November eighth and has supplied a few of its clients with information that ransomware gangs are utilizing the flaw, the advisory is but to be up to date to warn that it is being exploited within the wild.
Patch your Alternate servers in opposition to OWASSRF assaults
The OWASSRF exploit noticed by CrowdStrike safety researchers on Rackspaces’s community was additionally shared online along with a few of Play ransomware’s different malicious instruments.
This can make it simpler for different cybercriminals to adapt Play ransomware’s tooling for their very own functions or create their very own customized CVE-2022-41080 exploits, including to the urgency of patching the vulnerability as quickly as attainable.
On Tuesday, Cybersecurity and Infrastructure Safety Company (CISA) additionally ordered Federal Civilian Government Department Businesses (FCEB) companies to patch their programs in opposition to this bug by January thirty first and strongly urged all organizations to safe their Alternate servers to thwart exploitation makes an attempt.
Organizations with on-premises Microsoft Alternate servers on their networks ought to deploy the most recent Alternate safety updates instantly (with November 2022 because the minimal patch degree) or disable Outlook Net Entry (OWA) till they will apply CVE-2022-41080 patches.
Cuba ransomware behind greater than 100 assaults worldwide
The FBI and CISA revealed in a joint safety advisory issued final month that the Cuba ransomware gang has raked in additional than $60 million in ransoms as of August 2022 after breaching over 100 victims worldwide.
Though this paints a bleak image, samples submitted by victims to the ID-Ransomware platform evaluation present that the gang shouldn’t be very lively, proving that even a considerably inactive ransomware operation can have a huge effect.
One other FBI advisory from December 2021 warned that the ransomware group had compromised at least 49 organizations from U.S. important infrastructure sectors.
In each advisories, the FBI strongly urged reporting Cuba ransomware assaults to native FBI area places of work and requested victims to share associated data with their native FBI Cyber Squad to assist establish the ransomware gang’s members and the cybercriminals they’re working with.
Whereas not as prolific as Cuba ransomware and though first noticed much more not too long ago, in June 2022, Play ransomware has been fairly lively and has already hit dozens of victims worldwide, together with Rackspace, the German H-Hotels hotel chain, the Belgium city of Antwerp, and Argentina’s Judiciary of Córdoba.