[German]Security researchers at CrowdStrike have discovered a new exploit method for the NotProxyShell vulnerabilities CVE-2022-41080 and CVE-2022-41082 while analyzing several Play ransomware cases. The ransomware uses a new exploit method to bypass Microsoft's URL rewrite rules (in response to ProxyNotShel) for Autodiscover. The exploit allows remote code execution (RCE) via Outlook Web Access (OWA) and is then used to infect vulnerable Exchange servers. The new exploit method is referred to as OWASSRF. Addendum: CERT-EU has added the new exploit method to it's 0-day Exchange exploit list.
Advertising
Just before the holidays, a warning to Exchange administrators who do not have their on-premises systems up to the new patch level and whose systems are accessible via the Internet. At the end of September 2022, a new 0-day exploit method (ProxyNotShell) was found for on-premises Exchange Server, for which Microsoft published several URL rewrite rules at once in October 2022 as interim protection (see Microsoft's recommendations for Exchange Server 0-day vulnerability ZDI-CAN-18333 and the rest of the articles at the end of the post). Microsoft then released a security update in November 2022 (see Exchange Server security updates (November 8, 2022)).
New exploit method found
While investigating several Play ransomware cases, security researchers at CrowdStrike noticed that the intruders likely used Microsoft Exchange ProxyNotShell vulnerabilities CVE-2022-41040 and CVE-2022-41082 as a common entry vector. In each of these cases, the corresponding logs were reviewed, but no evidence of CVE-2022-41040 being exploited for initial access could be found. Instead, it was found that the corresponding requests were made directly through the Outlook Web App (OWA) endpoint. This indicated a previously unknown method of exploiting Exchange.
Security researchers therefore believe they have discovered a new exploit method (called OWASSRF). This combines vulnerabilities CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution (RCE) via Outlook Web Access (OWA). The new exploit bypasses URL rewrite defenses for the Autodiscover endpoint provided by Microsoft in response to ProxyNotShell. Crowdtrike security researchers have published details here.
While CrowdStrike security researchers were working on developing their own proof-of-concept (PoC) code to match log data found during the investigation of recent Play ransomware attacks, Dray Agha, threat researcher at Huntress Labs, discovered the tooling of a threat actor on Dec. 14, 2022, and published it online. This is reported by Bleeping Computer colleagues here. The leaked tooling included a PoC for Play's Exchange exploit, which allowed CrowdStrike to replicate the malicious activity logged in Play ransomware attacks.
Advertising
CrowdStrike security researchers believe the proof-of-concept exploit was used to drop remote access tools such as Plink and AnyDesk on compromised servers. Since summer, there have been several play ransomware incidents (e.g., City of Antwerp, see Cyberangriff auf Antwerpen (Belgien), H-Hotels in Germany , see Cyberangriff auf H-Hotels.com (11. Dez. 2022), etc.). Currently, I assume that a fully patched Exchange Server is not vulnerable to this attack method or exploit. However, OWA should not be accessible via the Internet in any case.
Addendum: CERT-EU has added the new exploit method to it's 0-day Exchange exploit list.
Similar articles:
Exchange Servers are attacked via 0-day exploit (Sept. 29, 2022)
Microsoft's recommendations for Exchange Server 0-day vulnerability ZDI-CAN-18333
Update on Exchange Server 0-day Vulnerability ZDI-CAN-18333: Fixes, Scripts and EMS Solution
Exchange Server: Microsoft updates it's mitigation for the 0-day ProxyNotShell vulnerability (October 5, 2022)
Exchange Server: Microsofts improves solutions for 0-day mitigation again (October 8, 2022)
Exchange Server security updates (November 8, 2022)
Ransomware attack responsible for Rackspace Exchange instance outage in Dec. 2022
