Ransomware Hackers Use New Method to Avoid Microsoft Exchange Proxynotshell Mitigations

Hackers Use New Method to Avoid Microsoft Exchange: As part of their campaign to spread the Play ransomware, cybercriminals use a novel attack chain to leverage ProxyNotShell vulnerabilities in Microsoft Exchange Server and gain remote code execution (RCE) via Outlook Web Access (OWA).

According to a technical write-up published on Tuesday by CrowdStrike researchers Brian Pitchford, Erik Iker, and Nicolas Zilio, “the new exploit approach overcomes URL rewrite mitigations for the Autodiscover endpoint.”

Hackers Use New Method to Avoid Microsoft Exchange
Hackers Use New Method to Avoid Microsoft Exchange

The Play ransomware, which initially appeared in June 2022 and was updated to Rust in September 2022, has been shown to borrow heavily from other ransomware families like Hive and Nokoyawa. The cybersecurity firm discovered that initial access to the target environments was not gained directly by exploiting CVE-2022-41040 but through the OWA endpoint.

The exploit, known as OWASSRF, likely exploits the major weakness CVE-2022-41080 (CVSS score: 8.8) to get elevated privileges, then uses the hole CVE-2022-41082 to execute arbitrary code remotely.

It's important to note that both CVE-2022-41040 and CVE-2022-41080 result from server-side request forgery (SSRF), which gives an attacker access to limited internal resources, in this case, the PowerShell remoting service.

According to CrowdStrike, after gaining access, the adversary dropped legitimate Plink and AnyDesk executables to maintain continued access and took measures to clear Windows Event Logs on compromised servers to cover up their actions.

Microsoft fixed all three flaws as part of the company's November 2022 Patch Tuesday upgrades. As with CVE-2022-41040 and CVE-2022-41082, it is unknown whether CVE-2022-41080 was actively exploited as a zero-day.

Microsoft has assigned CVE-2022-41080 the “Exploitation More Likely” severity rating, which means an attacker might theoretically craft exploit code to weaponize the weakness successfully.

In addition, CrowdStrike mentioned that the Play ransomware perpetrators may have used a proof-of-concept (POC) Python script found and leaked by Huntress Labs researcher Dray Agha last week.

This is demonstrated by “replicating the logs generated in recent Play ransomware assaults” was possible after the Python script was executed.

Since URL rewrite mitigations for ProxyNotShell are ineffective against this exploit approach, the researchers recommend that organizations deploy the November 8, 2022, fixes for Exchange to prevent exploitation.

Please keep visiting Techballad.com for updates. Keep our site bookmarked so you can quickly return to check for new content, Like Gamers Sue Microsoft Over Activision Blizzard Agreement.