{"id":521395,"date":"2022-12-21T07:06:23","date_gmt":"2022-12-21T09:06:23","guid":{"rendered":"https:\/\/teknomers.com\/fr\/les-pirates-de-ransomwares-utilisent-une-nouvelle-facon-de-contourner-les-attenuations-de-ms-exchange-proxynotshell\/"},"modified":"2022-12-21T07:06:25","modified_gmt":"2022-12-21T09:06:25","slug":"les-pirates-de-ransomwares-utilisent-une-nouvelle-facon-de-contourner-les-attenuations-de-ms-exchange-proxynotshell","status":"publish","type":"post","link":"https:\/\/teknomers.com\/fr\/les-pirates-de-ransomwares-utilisent-une-nouvelle-facon-de-contourner-les-attenuations-de-ms-exchange-proxynotshell\/","title":{"rendered":"Les pirates de ransomwares utilisent une nouvelle fa\u00e7on de contourner les att\u00e9nuations de MS Exchange ProxyNotShell"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">21 d\u00e9cembre 2022<\/span><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><\/span><span class=\"p-tags\">S\u00e9curit\u00e9 des e-mails \/ S\u00e9curit\u00e9 des donn\u00e9es<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><\/div>\n<p>Les acteurs de la menace affili\u00e9s \u00e0 une souche de ransomware connue sous le nom de Play exploitent une cha\u00eene d&#8217;exploitation in\u00e9dite qui contourne les r\u00e8gles de blocage des failles ProxyNotShell dans Microsoft Exchange Server pour r\u00e9aliser l&#8217;ex\u00e9cution de code \u00e0 distance (RCE) via Outlook Web Access (<a rel=\"nofollow noopener\" href=\"https:\/\/en.wikipedia.org\/wiki\/Outlook_on_the_web\" target=\"_blank\">OWA<\/a>).<\/p>\n<p>&#8220;La nouvelle m\u00e9thode d&#8217;exploitation contourne les att\u00e9nuations de r\u00e9\u00e9criture d&#8217;URL pour le <a rel=\"nofollow noopener\" href=\"https:\/\/learn.microsoft.com\/en-us\/exchange\/architecture\/client-access\/autodiscover\" target=\"_blank\">Point de terminaison de d\u00e9couverte automatique<\/a>&#8220;, les chercheurs de CrowdStrike Brian Pitchford, Erik Iker et Nicolas Zilio <a rel=\"nofollow noopener\" href=\"https:\/\/www.crowdstrike.com\/blog\/owassrf-exploit-analysis-and-recommendations\/\" target=\"_blank\">m&#8217;a dit<\/a> dans un article technique publi\u00e9 mardi.<\/p>\n<p>Play ransomware, qui a fait surface pour la premi\u00e8re fois en juin 2022, a \u00e9t\u00e9 <a rel=\"nofollow noopener\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/i\/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html\" target=\"_blank\">r\u00e9v\u00e9l\u00e9<\/a> adopter de nombreuses tactiques employ\u00e9es par d&#8217;autres familles de ran\u00e7ongiciels telles que Hive et <a rel=\"nofollow noopener\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/c\/nokoyawa-ransomware-possibly-related-to-hive-.html\" target=\"_blank\">Nokoyawa<\/a>dont le dernier <a rel=\"nofollow noopener\" href=\"https:\/\/www.zscaler.com\/blogs\/security-research\/nokoyawa-ransomware-rust-or-bust\" target=\"_blank\">mis \u00e0 niveau vers Rust<\/a> en septembre 2022.<\/p>\n<div class=\"ad_two clear\"><center class=\"cf\"><a rel=\"nofollow noopener\" href=\"https:\/\/go.thn.li\/uptycs-inside\" target=\"_blank\" title=\"CyberSecurity\"><img decoding=\"async\" alt=\"La cyber-s\u00e9curit\u00e9\" class=\"lazyload\" loading=\"lazy\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2022\/12\/1670949871_285_De-graves-attaques-auraient-pu-etre-mises-en-scene-via.png\" width=\"728\" height=\"90\"\/><\/a><\/center><\/div>\n<p>Les enqu\u00eates de la soci\u00e9t\u00e9 de cybers\u00e9curit\u00e9 sur plusieurs intrusions de ran\u00e7ongiciels Play ont r\u00e9v\u00e9l\u00e9 que l&#8217;acc\u00e8s initial aux environnements cibles n&#8217;\u00e9tait pas obtenu en exploitant directement <a rel=\"nofollow noopener\" href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2022-41040\" target=\"_blank\">CVE-2022-41040<\/a>mais plut\u00f4t via le point de terminaison OWA.<\/p>\n<p>Doubl\u00e9 <strong>OWASSRF<\/strong>la technique tire probablement parti d&#8217;un autre d\u00e9faut critique suivi comme <a rel=\"nofollow noopener\" href=\"https:\/\/msrc.microsoft.com\/update-guide\/en-US\/vulnerability\/CVE-2022-41080\" target=\"_blank\">CVE-2022-41080<\/a> (score CVSS\u00a0: 8,8) pour obtenir une \u00e9l\u00e9vation de privil\u00e8ges, suivie d&#8217;abus <a rel=\"nofollow noopener\" href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2022-41082\" target=\"_blank\">CVE-2022-41082<\/a> pour l&#8217;ex\u00e9cution de code \u00e0 distance.<\/p>\n<div class=\"separator\" style=\"clear: both;\"><img decoding=\"async\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2022\/12\/1671613583_536_Les-pirates-de-ransomwares-utilisent-une-nouvelle-facon-de-contourner.png\" alt=\"MS Exchange ProxyNotShell RCE\" border=\"0\" data-original-height=\"422\" data-original-width=\"728\" title=\"MS Exchange ProxyNotShell RCE\"\/><\/div>\n<p>Il convient de noter que CVE-2022-41040 et CVE-2022-41080 proviennent d&#8217;un cas de falsification de requ\u00eate c\u00f4t\u00e9 serveur (<a rel=\"nofollow noopener\" href=\"https:\/\/owasp.org\/www-community\/attacks\/Server_Side_Request_Forgery\" target=\"_blank\">SSRF<\/a>), qui permet \u00e0 un attaquant d&#8217;acc\u00e9der \u00e0 des ressources internes non autoris\u00e9es, en l&#8217;occurrence le <a rel=\"nofollow noopener\" href=\"https:\/\/learn.microsoft.com\/en-us\/powershell\/exchange\/exchange-management-shell\" target=\"_blank\">Communication \u00e0 distance PowerShell<\/a> un service.<\/p>\n<p>CrowdStrike a d\u00e9clar\u00e9 que l&#8217;acc\u00e8s initial r\u00e9ussi a permis \u00e0 l&#8217;adversaire de supprimer les ex\u00e9cutables l\u00e9gitimes Plink et AnyDesk pour maintenir un acc\u00e8s persistant et de prendre des mesures pour purger les journaux d&#8217;\u00e9v\u00e9nements Windows sur les serveurs infect\u00e9s afin de dissimuler l&#8217;activit\u00e9 malveillante.<\/p>\n<p>Les trois vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es par Microsoft dans le cadre de ses mises \u00e0 jour Patch Tuesday pour novembre 2022. Cependant, il n&#8217;est pas clair si CVE-2022-41080 a \u00e9t\u00e9 activement exploit\u00e9 en tant que zero-day aux c\u00f4t\u00e9s de CVE-2022-41040 et CVE-2022-41082.<\/p>\n<p>Le fabricant de Windows, pour sa part, a marqu\u00e9 CVE-2022-41080 avec une \u00e9valuation &#8220;Exploitation plus probable&#8221;, ce qui implique qu&#8217;il est possible pour un attaquant de cr\u00e9er un code d&#8217;exploitation qui pourrait \u00eatre utilis\u00e9 pour armer de mani\u00e8re fiable la faille.<\/p>\n<p>CrowdStrike a en outre not\u00e9 qu&#8217;un script Python de preuve de concept (PoC) <a rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/Purp1eW0lf\/status\/1602989967776808961\" target=\"_blank\">d\u00e9couvert<\/a> et divulgu\u00e9 par le chercheur de Huntress Labs Dray Agha la semaine derni\u00e8re pourrait avoir \u00e9t\u00e9 utilis\u00e9 par les acteurs du ran\u00e7ongiciel Play pour un acc\u00e8s initial.<\/p>\n<p>En t\u00e9moigne le fait que l&#8217;ex\u00e9cution du script Python a permis de &#8220;r\u00e9pliquer les logs g\u00e9n\u00e9r\u00e9s lors des r\u00e9centes attaques du ransomware Play&#8221;.<\/p>\n<p>&#8220;Les organisations devraient appliquer les correctifs du 8 novembre 2022 pour Exchange afin d&#8217;emp\u00eacher l&#8217;exploitation, car les att\u00e9nuations de r\u00e9\u00e9criture d&#8217;URL pour ProxyNotShell ne sont pas efficaces contre cette m\u00e9thode d&#8217;exploitation&#8221;, ont d\u00e9clar\u00e9 les chercheurs.<\/p>\n<p><\/p>\n<div class=\"cf note-b\">Vous avez trouv\u00e9 cet article int\u00e9ressant ?  Suivez-nous sur <a rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/thehackersnews\" target=\"_blank\">Twitter <i class=\"icon-font icon-twitter\">\uf099<\/i><\/a>  et <a rel=\"nofollow noopener\" href=\"https:\/\/www.linkedin.com\/company\/thehackernews\/\" target=\"_blank\">LinkedIn<\/a> pour lire plus de contenu exclusif que nous publions.<\/div>\n<\/div>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><br \/>\n<br \/><br \/>\n<br \/><a href=\"https:\/\/thehackernews.com\/2022\/12\/ransomware-hackers-using-new-way-to.html\" rel=\"nofollow noopener\" target=\"_blank\">ttn-fr-57<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\ue80221 d\u00e9cembre 2022\ue804Ravie LakshmananS\u00e9curit\u00e9 des e-mails \/ S\u00e9curit\u00e9 des donn\u00e9es Les acteurs de la menace affili\u00e9s \u00e0 une souche de ransomware connue sous le nom de Play exploitent une cha\u00eene d&#8217;exploitation in\u00e9dite qui contourne les r\u00e8gles de blocage des failles ProxyNotShell dans Microsoft Exchange Server pour r\u00e9aliser l&#8217;ex\u00e9cution de code \u00e0 distance (RCE) via Outlook [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":521396,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[23641,4168,11696,4158,4165,4161,7854,6413,4157,4159,4171,4170,65,4167,4160,197,4163,4162,4394,114127,63091,4172,4169,196,10784,4166,4164],"class_list":["post-521395","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technologie","tag-attenuations","tag-comment-pirater","tag-contourner","tag-cyber-actualites","tag-cyber-attaques","tag-cyber-mises-a-jour","tag-exchange","tag-facon","tag-lactualite-de-la-cybersecurite","tag-lactualite-de-la-cybersecurite-aujourdhui","tag-lactualite-des-hackers","tag-la-securite-des-informations","tag-les","tag-logiciel-malveillant-de-ransomware","tag-mises-a-jour-de-la-cybersecurite","tag-nouvelle","tag-nouvelles-de-piratage","tag-nouvelles-de-pirates","tag-pirates","tag-proxynotshell","tag-ransomwares","tag-securite-informatique","tag-securite-internet","tag-une","tag-utilisent","tag-violation-de-donnees","tag-vulnerabilite-logicielle"],"_links":{"self":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/521395","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/comments?post=521395"}],"version-history":[{"count":0,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/521395\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media\/521396"}],"wp:attachment":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media?parent=521395"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/categories?post=521395"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/tags?post=521395"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}