Reports this week illustrate how threat actors consider Microsoft Exchange as a prime target for gaining initial access to corporate networks to steal data and deploy ransomware.
CrowdStrike researchers reported this week that the Play ransomware operation utilized a new Microsoft Exchange attack dubbed ‘OWASSRF’ that chained exploits for CVE-2022-41082 and CVE-2022-41080 to gain initial access to corporate networks.
The ransomware operation then used this access to steal data and encrypt devices on the network.
As another example of Microsoft Exchange being heavily targeted by threat actors, ProDaft revealed this week that the FIN7 hacking group created an auto-attack platform called ‘Checkmarks’ that targets Microsoft Exchange.
This platform automatically scans for Exchange servers, exploits vulnerabilities to gain access, and then downloads data from the server.
FIN7 would then evaluate the company to determine if it was valuable enough to deploy ransomware.
The Play ransomware gang has claimed responsibility for a cyber attack on H-Hotels (h-hotels.com) that has resulted in communication outages for the company.
In 2012, Reveton ransomware emerged. It’s considered to be the first Ransomware-as-a-Service (RaaS) operation ever. Since then, RaaS has enabled gangs with basic technical skills to launch attacks indiscriminately. Now, nearly anyone can create highly effective malware campaigns.
Play ransomware threat actors are using a new exploit chain that bypasses ProxyNotShell URL rewrite mitigations to gain remote code execution (RCE) on vulnerable servers through Outlook Web Access (OWA).
Nokoyawa ransomware was discovered in February 2022, sharing code with another ransomware family known as Karma. Nokoyawa ransomware’s lineage can further be traced back to Nemty ransomware. The original version of Nokoyawa ransomware was written in the C programming language and file encryption utilized asymmetric Elliptic Curve Cryptography (ECC) with Curve SECT233R1 (a.k.a. NIST B-233) using the Tiny-ECDH open source library combined with a per file Salsa20 symmetric key. Nokoyawa ransomware 2.0 still uses Salsa20 for symmetric encryption, but the elliptic curve was replaced with Curve25519.
Royal ransomware may have been first observed by researchers around September 2022, but it has seasoned cybercriminals behind it: The threat actors running this ransomware — who used to be a part of Conti Team One, according to a mind map shared by Vitali Kremez — initially dubbed it Zeon ransomware, until they rebranded it to Royal ransomware.
The Vice Society ransomware operation has switched to using a custom ransomware encrypt that implements a strong, hybrid encryption scheme based on NTRUEncrypt and ChaCha20-Poly1305.
The notorious FIN7 hacking group uses an automated attack system that exploits Microsoft Exchange and SQL injection vulnerabilities to breach corporate networks, steal data, and select targets for ransomware attacks based on financial size.
Play is a relative newcomer to the ransomware game, having been detected for the first time in June 2022. In this report, Play refers to both the group developing and distributing it and the name of the ransomware executable. Like many other operators in this space, Play has adopted the double-extortion methodology of encrypting endpoints and/or other infrastructure of value within an organization and then threatening to release exfiltrated data from those machines on the internet if a ransom is not paid.
That’s it for this week! Hope everyone has a nice holiday and we will return after the new year!