Read Time:1 Minute, 40 Second

Play Ransomware is a newer method utilised by threat actors in the cybercrime industry that threatens different sectors and governments. And recently, ransomware groups are using a new exploit to carry out their crimes.

According to cybersecurity experts, Play Ransomware first surfaced in June 2022. Many claims that this new ransomware group’s identified TTP is similar to Hive and Nokayawa families. They utilise AdFind, a command-line query tool that collects information from Active Directory. What sets them different, however, is that they resort to intermittent encryption.

Play Ransomware was then utilised on August 23. The threat actor attacked the Judiciary of Córdoba in Argentina. They shut down the IT systems, databases, and online portals of the Judiciary of Córdoba, encrypting the files with ‘.play’ and leaving a ReadMe.txt file on how to contact them.

Recently, the threat actors responsible for Play have been utilising a newer method that was not done in the past. SC Media cybercrime reporter Menghan Xiao reported that “the hackers bypassed Microsoft’s ProxyNotShell URL rewrite mitigation to gain remote code execution through Outlook Web Access (OWA).”

Xiao also added that this was identified by CrowdStrike researchers, calling it OWASSRF, upon “investigations into several Play ransomware intrusions where the common entry vector was suspected to be Microsoft Exchange ProxyNotShell vulnerabilities CVE-2022-41040 and CVE-2022-41082. The team, however, found that initial access to targeted networks was not achieved by directly exploiting CVE-2022-41040 but was made through the OWA endpoint.”

Fortunately, Microsoft has already addressed these identified vulnerabilities as part of their Patch Tuesday updates in November, according to data and cybersecurity journalist Ravie Lakshmanan.

But recently, Cybersecurity company Rapid7 noticed an increased number of Microsoft Exchange Server compromises. Rapid7 researcher Glenn Thorpe noted, “Patched servers do not appear vulnerable. Servers only utilising Microsoft’s mitigations do appear vulnerable. Threat actors are using this to deploy ransomware.”

Microsoft advises users to prioritise installing the latest updates, specifically those found in the November 2022 Exchange Server updates.

About Post Author

George Walsh

george@writefuel.com
Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
0 %
Total
0
Shares
Share 0
Tweet 0
Pin it 0
Share 0
0 0
In, , ,
meta Previous post Meta to Pay $725 Million to Settle Mishandling of Users’ Data in the Cambridge Analytica Scandal
Next post Australians Lost Almost Half-A-Billion Dollars to Scams in the Past 10 Months

More Stories