Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label ProxyNotShell. Show all posts

FBI Alarmed as Ransomware Strikes 300 Victims, Critical Sectors Under Siege

 


There was an advisory published late on Monday about the Play ransomware gang that was put out by the Federal Bureau of Investigation (FBI) together with the US Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre. The Play gang is thought to have debuted last year and has launched multiple attacks on targets since then. 

It was first spotted being deployed against South American government agencies around the middle of last year but pivoted months later to target entities in the US and Europe. The FBI and other cyber security agencies are warning about the rise of the Play ransomware double-extortion group which has now attacked hundreds of organizations. 

Since June 2022, Play ransomware - also known as Playcrypt - has hit a wide range of businesses and critical infrastructure organizations in North America, South America, and Europe, the cyber security advisory said. Unlike typical ransomware operations, the Play ransomware affiliates use email communication for negotiations, rather than providing Tor negotiations page links in ransom notes left on compromised systems. 

However, the gang still employs strategies commonly associated with ransomware, such as stealing sensitive documents from compromised systems to pressure victims into paying ransom demands under the threat of leaking the stolen data online. The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) issued a joint advisory to disseminate IOCs and TTPs discovered as recently as October 2023 by the Play ransomware group. 

According to the joint advisory, these organizations are urged to cover their vulnerabilities that have been previously exploited to diminish the likelihood of falling victim to Play ransomware attacks. A special focus should be placed on the implementation of multifactor authentication for webmail, VPN, and accounts accessing critical systems, and the advisory also discusses the importance of updating and patching regular software, along with routine vulnerability assessments, as recommended. 

It is recommended that organizations follow security best practices to ensure that their endpoints are secure. A few of the steps include keeping all software and hardware up-to-date and making sure that all urgent security patches are applied as soon as possible, as these patches usually address known and abused security vulnerabilities. Companies should also be encouraged to implement multi-factor authentication (MFA) wherever possible to keep their passwords strong and fresh.  

An example of a high-profile victim of a ransomware attack would be the City of Oakland in California, Arnold Clark, Rackspace cloud computing company, and the Belgian city of Antwerp in Belgium. A custom VSS Copying Tool is also used by the Play Gang to evict files from shadow volume copies, even when other applications are currently using them. 

The joint advisory issued by CISA and other agencies indicates that the Playgroup is gaining access to the networks of organizations through the abuse of legitimate accounts and the exploitation of public-facing applications through known security flaws in FortiOS [CVE-2018-13379 and CVE-2020-12812] and Microsoft Exchange, including ProxyNotShell, a remote code execution (RCE) vulnerability, as well as CVE-2022-41040, which is also tracked as CVE-2022-40802. 

In their report, the authors noted that many ransomware actors were observed to use services and resources that could be accessed externally, such as Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN), to gain access. In addition to using tools like AdFind to run AD queries and Grixba to steal information from the network, the bad actors also use tools like the Grixba infostealer to scan for antivirus software and grab data from the network once they have accessed the computer. 

Also, they have used PowerShell scripts to target Microsoft Defender, and they have used GMER, IOBit, and PowerTool to disable these software and remote log files. In most cases, ransomware actors obtain their access via external-facing services such as Virtual Private Networks (VPNs) and Remote Desktop Protocols (RDPs). 

The actors in play ransomware use tools such as AdFind, an information-stealing tool, to enumerate network information and scan for anti-virus software, and Grixba, an information stealer, to enumerate network information and scan for anti-virus software, to execute active directory queries. As well as removing log files and disabling antivirus software, actors use tools such as GMER, IOBit, and PowerTool.

Rackspace: Ransomware Bypasses ProxyNotShell Mitigations

 


According to Rackspace Technology, a cloud hosting company that provides managed cloud services, the massive December 2 attacks have caused the company to take action. As part of the attack, thousands of small and midsized businesses suffered disruption in their email services due to a zero-day exploit against a vulnerability in Microsoft Exchange Server called server-side request forgery (SSRF), or CVE-2022-41080. 

According to Karen O'Reilly-Smith, the chief security officer at Rackspace, in an email response, the root cause of this vulnerability is a zero-day exploit associated with CVE-2022-41080. It has been reported that Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include any notes on the fact that it was part of a remote execution chain that was exploitable. 

According to a third-party advisor to Rackspace, the company had yet to apply the ProxyNotShell patch because the company was concerned that it may cause "authentication errors" that could take down its Exchange servers, as well as other potential issues. As part of its mitigation strategies for the vulnerabilities, Rackspace had already implemented Microsoft's mitigation recommendations, which the software giant had deemed as a means of preventing attacks. 

A security firm called CrowdStrike was hired by Rackspace for its breach investigation, and CrowdStrike posted its findings in an open blog post on its findings. CrowdStrike explained how the Play ransomware group had used a newly developed technique to exploit a new ProxyNotShell RCE vulnerability called CVE-2022-41080 and CVE-2022-41082. 

According to a report, CrowdStrike's post about who beat Backdoor Play was the outcome of the company's investigation into the attack against Rackspace. However, the company's external advisor told us that the research about Play's bypass method was the result of CrowdStrike's investigation into the attack. 

Last month, Microsoft informed Dark Reading that while the attack bypasses mitigations provided by previous releases of ProxyNotShell, it does not bypass the actual patch that is being applied to the system.  

'Patching - if you can do so - is the answer,' says an external advisor, pointing out that the company had weighed the risks and benefits of patching at the time when mitigations were said to have been effective and on the other hand, the patch had the potential to take their servers down. The external advisor's report states that at the time when the risk was being evaluated, considered, and weighed, they were aware of it. Because the patch has not yet been applied, the servers remain unavailable.  

According to a Rackspace spokesperson, the company has not responded to questions about whether or not the ransomware attackers have been paid.