The developers of the Play ransomware strain have created a new attack chain for a severe Remote Code Execution (RCE) vulnerability in Microsoft Exchange Server, which was fixed in November. The new technique circumvents the mitigations given by Microsoft for the exploit chain, therefore businesses that have only implemented those but still need to update the patch must do so immediately.
Watch this news video:
The RCE flaw (CVE-2022-41082) at issue is one of two "ProxyNotShell" flaws in Exchange Server versions 2013, 2016, and 2019 that Vietnamese security firm GTSC officially exposed in November after watching a threat actor exploiting them. The other ProxyNotShell flaw, CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability that allows attackers to get elevated privileges on a compromised system.
As per the report of GTSC, the threat actor used the CVE-2022-41040 SSRF vulnerability to get access to the Remote PowerShell service and then used it to trigger the RCE flaw on impacted systems. As a result, Microsoft advised companies to implement a blocking rule to prevent attackers from accessing the PowerShell remote service via the Autodiscover endpoint on affected computers. According to the corporation, and security researchers agreed, the blocking rule would help avoid known exploit patterns against the ProxyNotShell vulnerabilities.
New and Innovative Exploit Chain:
CrowdStrike researchers said this week that the threat actors behind Play ransomware used a new approach to exploit CVE-2022-41082 that bypassed Microsoft's ProxyNotShell mitigation mechanism. The attacker uses another SSRF flaw in the Exchange server identified as CVE-2022-41080 to access the PowerShell remote service via the Outlook Web Access (OWA) front end rather than the Autodiscover endpoint. Microsoft assigned the same severity level (8.8) to the problem as it did to the SSRF flaw in the original ProxyNotShell exploit chain.
According to CrowdStrike, CVE-2020-41080 allows attackers to access the PowerShell remote service and utilise it to exploit CVE-2022-41082 in the same way they did with CVE-2022-41040. The new exploit chain used by the Play ransomware group was characterised by the security provider as a "previously undocumented approach to reach the PowerShell remoting service through the OWA frontend endpoint, rather than exploiting the Autodiscover endpoint."
Requests to the PowerShell remote service via the OWA front end will not be prevented because Microsoft's ProxyNotShell mitigation only limits requests to the Autodiscover endpoint on the Microsoft Exchange server, according to the security company. The new exploit chain involving CVE-2022-41080 and CVE-2022-41082 has been labelled "OWASSRF" by CrowdStrike.
Two Options - Patch Immediately or Disable OWA
"Organizations should implement Nov. 8, 2022, Exchange fixes to prevent exploitation because the ProxyNotShell URL rewrite mitigations are ineffective against this exploit approach," CrowdStrike advised. "If you cannot apply the KB5019758 patch immediately, you should disable OWA until the patch is available." Microsoft did not immediately respond to a request for comment.
CrowdStrike identified the new exploit chain while researching numerous recent Play ransomware infections that used a Microsoft Exchange Server vulnerability as the first access vector. The researchers rapidly discovered that Play ransomware attackers had used the ProxyNotShell RCE vulnerability (CVE-2022-41082) to deliver legitimate payloads on compromised Microsoft Exchange Servers in order to keep access and perform anti-forensics tactics.
However, there was no indication that CVE-2022-41040 was used as part of the exploit chain. CrowdStrike's additional analysis revealed that the attackers had instead used CVE-2022-41080. According to the security vendor's guidelines, organizations should disable remote PowerShell for Non-administrative users where possible and employ EDR technologies to detect Web services launching PowerShell processes. The company has also given administrators a script for monitoring Exchange servers for symptoms of exploitation.
Please do not enter any spam link in the comment box.