Cuba Ransomware Exploits Microsoft SSRF Vulnerability

Ransomware actors abusing OWASSRF

• Recent reports from Microsoft and other agencies suggest that the Cuba ransomware group is actively expanding its scope by adopting new attack tactics rapidly. This includes the exploitation of new bugs - the most recent being the OWASSRF bug.
• Recently, Cuba operators started exploiting the OWASSRF (CVE-2022-41080) zero-day to compromise vulnerable Microsoft Exchange servers.
• Since its disclosure, the DEV-0671 threat actor has been exploiting this bug to hack Exchange servers and deploy Cuba ransomware payloads.
• Of late, the Play ransomware group abused this same security flaw on Rackspace’s network. The bug was exploited to drop several tools, including Plink and AnyDesk, to gain remote access to the infected servers.

Actions taken so far

• Microsoft released security updates to address this bug in November 2022 and has provided its customers with information about protection from this attack method.
• The CISA added this bug to its Known Exploited Vulnerabilities Catalog and has ordered Federal Civilian Executive Branch Agencies (FCEB) agencies to patch their systems against this bug by January 31.

Conclusion