Hackers Use New Method to Avoid Microsoft Exchange: As part of their campaign to spread the Play ransomware, cybercriminals use a novel attack chain to leverage ProxyNotShell vulnerabilities in Microsoft Exchange Server and gain remote code execution (RCE) via Outlook Web Access (OWA).
According to a technical write-up published on Tuesday by CrowdStrike researchers Brian Pitchford, Erik Iker, and Nicolas Zilio, “the new exploit approach overcomes URL rewrite mitigations for the Autodiscover endpoint.”
The Play ransomware, which initially appeared in June 2022 and was updated to Rust in September 2022, has been shown to borrow heavily from other ransomware families like Hive and Nokoyawa. The cybersecurity firm discovered that initial access to the target environments was not gained directly by exploiting CVE-2022-41040 but through the OWA endpoint.
The exploit, known as OWASSRF, likely exploits the major weakness CVE-2022-41080 (CVSS score: 8.8) to get elevated privileges, then uses the hole CVE-2022-41082 to execute arbitrary code remotely.
It's important to note that both CVE-2022-41040 and CVE-2022-41080 result from server-side request forgery (SSRF), which gives an attacker access to limited internal resources, in this case, the PowerShell remoting service.
ProxyShell vulnerabilities continue to be exploited. In the latest issue of #TheMonitor, our experts discuss the prevalence of #ProxyShell and #ProxyNotShell exploitation and how organizations can best protect themselves.
Read more: https://t.co/VbYqOCSANm pic.twitter.com/YK5uZPVlTd
— Kroll (@KrollWire) December 19, 2022
According to CrowdStrike, after gaining access, the adversary dropped legitimate Plink and AnyDesk executables to maintain continued access and took measures to clear Windows Event Logs on compromised servers to cover up their actions.
Microsoft fixed all three flaws as part of the company's November 2022 Patch Tuesday upgrades. As with CVE-2022-41040 and CVE-2022-41082, it is unknown whether CVE-2022-41080 was actively exploited as a zero-day.
“An attacker can trigger the vulnerability via any Windows application protocols that authenticates.” https://t.co/RroIdMTtnQ
— Adam Levin (@Adam_K_Levin) December 19, 2022
Microsoft has assigned CVE-2022-41080 the “Exploitation More Likely” severity rating, which means an attacker might theoretically craft exploit code to weaponize the weakness successfully.
In addition, CrowdStrike mentioned that the Play ransomware perpetrators may have used a proof-of-concept (POC) Python script found and leaked by Huntress Labs researcher Dray Agha last week.
Play #ransomware using a “new exploit chain that bypasses ProxyNotShell URL rewrite mitigations to gain RCE on vulnerable servers through Outlook Web Access (OWA)” https://t.co/lEea2Azaer #malware #cybersecurity #infosec pic.twitter.com/5fmLyND0ZX
— Raj Samani (@Raj_Samani) December 21, 2022
This is demonstrated by “replicating the logs generated in recent Play ransomware assaults” was possible after the Python script was executed.
CrowdStrike recently discovered a new exploit method using CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution (RCE) through Outlook Web Access. https://t.co/eP0eDW9DnF
— CrowdStrike (@CrowdStrike) December 20, 2022
Since URL rewrite mitigations for ProxyNotShell are ineffective against this exploit approach, the researchers recommend that organizations deploy the November 8, 2022, fixes for Exchange to prevent exploitation.
Please keep visiting Techballad.com for updates. Keep our site bookmarked so you can quickly return to check for new content, Like Gamers Sue Microsoft Over Activision Blizzard Agreement.