Go to listing page

Beyond ProxyNotShell - New OWASSRF Exploit Targets MS Exchange

Beyond ProxyNotShell - New OWASSRF Exploit Targets MS Exchange
A security firm has disclosed a new exploit technique (OWASSRF) abusing CVE-2022-41080 and CVE-2022-41082 flaws to exploit Microsoft Exchange servers. However, it is different from ProxyNotShell, another common attack method actively used for targeting Microsoft Exchange servers.

The new exploit method

Recent CrowdStrike Services investigations have revealed that several Play ransomware intrusions have used this exploit. 
  • For initial access and execution of arbitrary code, the attackers used a Remote PowerShell to exploit the CVE-2022-41082, which is one of two bugs used for ProxyNotShell attacks. 
  • As it appears, corresponding requests were directly made via the Outlook Web Application (OWA) endpoint, which implied a previously undisclosed exploit technique for Exchange, which has been named now OWASSRF.

Research indicates that instead of the other bug (CVE-2022-41040) used in ProxyNotShell attacks, these attackers were exploiting a different bug CVE-2022-41080. This indicates that this attack could be different from ProxyNotShell attacks.

Was the exploit leaked elsewhere?

Another researcher from Huntress Labs discovered and leaked a threat actor's tooling online on December 14.
  • This leaked tool contained a PoC for Exchange exploit. The logs generated from this were matching with the logs generated by Play’s Exchange exploit (OWASSRF).
  • Based on analysis of this leaked tooling, CrowdStrike researchers could confirm that it was the same exploit used in recent attacks, and the OWA exploit used in the attacks is related to CVE-2022-41080.
  • The PoC exploit was used to drop remote access tools such as Plink and AnyDesk on infected servers.
  • The tooling included ConnectWise RAT, which was deployed in attacks as well. 

Further, to hide their activities, attackers performed anti-forensics techniques on the Exchange server.

Conclusion

The attacks are ongoing and more organizations could become victims of Play ransomware. Thus, experts recommend that on-premises Exchange servers should apply the latest security updates (with November 2022 as the minimum patch level) or disable OWA until the CVE-2022-41080 patch is applied.
Cyware Publisher

Publisher

Cyware