Ransomware-wielding attackers are using a new exploit chain that includes one of the ProxyNotShell vulnerabilities (CVE-2022-41082) to achieve remote code execution on Microsoft Exchange servers. The ProxyNotShell exploit chain used CVE-2022-41040, a SSRF vulnerability in the Autodiscover endpoint of Microsoft Exchange, while this new one uses CVE-2022-41080 to achieve privilege escalation through Outlook Web Access (OWA).
The exploit chain – dubbed OWASSRF by Crowdstrike researchers – can only be headed off by implementing the patches for Microsoft Exchange released in November 2022.
The URL rewrite mitigations for ProxyNotShell that Microsoft shared before the patches were ready are not effective against this exploit method, they say, and urge organizations that cannot apply the patch to temporarily disable OWA.
The clues leading to CVE-2022-41080
The researchers spotted in-the-wild exploitation of CVE-2022-41082 when investigating Play ransomware intrusions where the common entry vector was Microsoft Exchange.
They thought the attackers might have leveraged the ProxyNotShell exploit chain, but found no evidence of exploitation of CVE-2022-41040. Instead, they noticed POST requests made through the OWA endpoint.
The difference between the two exploit chains (Source: Crowdstrike)
In the meantime, Huntress Labs threat researcher Dray Agha managed to grab attack tools via an open repository and among them was a PoC script leveraging an unknown OWA exploit technique and the CVE-2022-41082 exploit.
CrowdStrike researchers successfully deployed the OWASSRF exploit against unpatched Exchange systems, but could not replicate the attack on patched ones. And, since the November KB5019758 patch fixes a DLL hijacking flaw and a flaw whose CVSS score as CVE-2022-41040 and has been marked “exploitation more likely,” they assess “it is highly likely that the OWA technique employed is in fact tied to CVE-2022-41080.”
CVE-2022-41080 is one of the two vulnerabilities four researchers from 360 Noah Lab and VcsLab of Viettel Cyber Security recently concatenated to achieve RCE on Exchange on-premises, Exchange Online and Skype for Business Server. They reported them to Microsoft, who fixed CVE-2022-41080 in November and the other one in December.
“After initial access via this new exploit method, the threat actor leveraged legitimate Plink and AnyDesk executables to maintain access, and performed anti-forensics techniques on the Microsoft Exchange server in an attempt to hide their activity,” Crowdstrike researchers concluded, and provided additional advice for mitigating the risk and detecting signs of exploitation.
UPDATE (December 22, 2022, 06:10 a.m. ET):
Rapid7 has detected an increase in the number of Microsoft Exchange server compromises via this exploit chain, and has provided indicators of compromise related to the campaign.