The Week in Ransomware - December 23rd 2022 - Targeting Microsoft Exchange

[AFFASocial]

The Week in Ransomware - December 23rd 2022 - Targeting Microsoft Exchange​

• December 23, 2022
• 03:51 PM
• 0

Reports this week illustrate how threat actors consider Microsoft Exchange as a prime target for gaining initial access to corporate networks to steal data and deploy ransomware.
CrowdStrike researchers reported this week that the Play ransomware operation utilized a new Microsoft Exchange attack dubbed 'OWASSRF' that chained exploits for CVE-2022-41082 and CVE-2022-41080 to gain initial access to corporate networks.
The ransomware operation then used this access to steal data and encrypt devices on the network.
As another example of Microsoft Exchange being heavily targeted by threat actors, ProDaft revealed this week that the FIN7 hacking group created an auto-attack platform called 'Checkmarks' that targets Microsoft Exchange.
This platform automatically scans for Exchange servers, exploits vulnerabilities to gain access, and then downloads data from the server.
FIN7 would then evaluate the company to determine if it was valuable enough to deploy ransomware.

Victim details on FIN7's Checkmarks platform
Source: ProDaft
TrendMicro also confirmed this week our September report that a Conti cell known as Zeon rebranded to Royal Ransomware.
Other reports this week shed light on various ransomware operations:

• A report on how Reveton was the precursor to Ransomware-as-a-Service operations.
• A report on the Nokoyawa ransomware operation.
• Vice Society finally gets its own custom ransomware encryptor instead of relying on other operations' malware.
• A technical report on the Play ransomware, which has expanded its operations recently.

Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @FourOctets, @billtoulas, @DanielGallagher, @demonslay335, @struppigel, @jorntvdw, @LawrenceAbrams, @malwrhunterteam, @VK_Intel, @PolarToffee, @fwosar, @Ionut_Ilascu, @Seifreed, @malwareforme, @serghei, @IBMSecurity, @PRODAFT, @CrowdStrike, @LabsSentinel, @Fortinet, @zscaler, @TrendMicro, and @pcrisk.

December 19th 2022​

Play ransomware claims attack on German hotel chain H-Hotels​

The Play ransomware gang has claimed responsibility for a cyber attack on H-Hotels (h-hotels.com) that has resulted in communication outages for the company.

How Reveton Ransomware-as-a-Service Changed Cybersecurity​

In 2012, Reveton ransomware emerged. It’s considered to be the first Ransomware-as-a-Service (RaaS) operation ever. Since then, RaaS has enabled gangs with basic technical skills to launch attacks indiscriminately. Now, nearly anyone can create highly effective malware campaigns.

December 20th 2022​

Ransomware gang uses new Microsoft Exchange exploit to breach servers​

Play ransomware threat actors are using a new exploit chain that bypasses ProxyNotShell URL rewrite mitigations to gain remote code execution (RCE) on vulnerable servers through Outlook Web Access (OWA).

Nokoyawa Ransomware: Rust or Bust​

Nokoyawa ransomware was discovered in February 2022, sharing code with another ransomware family known as Karma. Nokoyawa ransomware’s lineage can further be traced back to Nemty ransomware. The original version of Nokoyawa ransomware was written in the C programming language and file encryption utilized asymmetric Elliptic Curve Cryptography (ECC) with Curve SECT233R1 (a.k.a. NIST B-233) using the Tiny-ECDH open source library combined with a per file Salsa20 symmetric key. Nokoyawa ransomware 2.0 still uses Salsa20 for symmetric encryption, but the elliptic curve was replaced with Curve25519.

New STOP ransomware variants​

PCrisk found new STOP ransomware variants that append the .isal or .isza extensions.

December 21st 2022​

Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks​

Royal ransomware may have been first observed by researchers around September 2022, but it has seasoned cybercriminals behind it: The threat actors running this ransomware — who used to be a part of Conti Team One, according to a mind map shared by Vitali Kremez — initially dubbed it Zeon ransomware, until they rebranded it to Royal ransomware.

New HardBit 2.0 ransomware​

PCrisk found the HardBit 2.0 ransomware that appends the .hardbit2 extension and drops ransom notes named How To Restore Your Files.txt.

New STOP ransomware variant​

PCrisk found a new STOP ransomware variant that appends the .iswr extension.

December 22nd 2022​

Vice Society ransomware gang switches to new custom encryptor​

The Vice Society ransomware operation has switched to using a custom ransomware encrypt that implements a strong, hybrid encryption scheme based on NTRUEncrypt and ChaCha20-Poly1305.

FIN7 hackers create auto-attack platform to breach Exchange servers​

The notorious FIN7 hacking group uses an automated attack system that exploits Microsoft Exchange and SQL injection vulnerabilities to breach corporate networks, steal data, and select targets for ransomware attacks based on financial size.

Ransomware Roundup – Play Ransomware​

Play is a relative newcomer to the ransomware game, having been detected for the first time in June 2022. In this report, Play refers to both the group developing and distributing it and the name of the ransomware executable. Like many other operators in this space, Play has adopted the double-extortion methodology of encrypting endpoints and/or other infrastructure of value within an organization and then threatening to release exfiltrated data from those machines on the internet if a ransom is not paid.

That's it for this week! Hope everyone has a nice holiday and we will return after the new year!​

 

[DVDR_Dog]

My my it's been a busy week!

 

[Nitish.am]

hey i need help!
i need product key

 

[AFFASocial]

hey i need help!
i need product key

Wrong post for your request it seems?

 

[DVDR_Dog]

hey i need help!
i need product key

No you don't. KMS activated Office may ask for a key, ignore it. You still have 100% functionality.

 

[Tazeem]

No you don't. KMS activated Office may ask for a key, ignore it. You still have 100% functionality.

kms not activated the office 2016

 

[DVDR_Dog]

Try searching the Office posts in the forum. A few things can go wrong but they have already been covered.

 

[DVDR_Dog]

I was just assessing exactly how many companies that I deal with their IT departments are even using exchange server anymore. When Covid pushed workers off-site and working remotely, Office 365 became a very intelligent move if they already hadn't migrated to 365. It takes so much of a load off of IT departments. On top of that you have now technically isolated your internal data bases from the weakest security link in most organizations. Add that to your workforce has a system installed at their home that could possibly be accessed by any member of the family to do who knows what. Security can be bypassed, I can do it quickly with just minor tools. Add that to the expense of maintaining and powering an exchange server that most of the time is a vastly underused resource. So wasting time trying to develop ways to compromise dinosaur exchange servers in this day and age makes as much sense as urinating up a rope. Might get you props in the security brotherhood but that's about it.