The operators of a ransomware pressure referred to as Play have developed a brand new exploit chain for a important distant code execution (RCE) vulnerability in Exchange Server that Microsoft patched in November.
The new methodology bypasses mitigations that Microsoft had offered for the exploit chain, that means organizations which have solely applied these however have not but utilized the patch for it want to take action instantly.
The RCE vulnerability at subject (CVE-2022-41082) is one in every of two so-called “ProxyNotShell” flaws in Exchange Server variations 2013, 2016, and 2019 that Vietnamese safety firm GTSC publicly disclosed in November after observing a risk actor exploiting them. The different ProxyNotShell flaw, tracked as CVE-2022-41040, is a server-side request forgery (SSRF) bug that offers attackers a solution to elevate privileges on a compromised system.
In the assault that GTSC reported, the risk actor utilized the CVE-2022-41040 SSRF vulnerability to entry the Remote PowerShell service and used it to set off the RCE flaw on affected methods. In response, Microsoft beneficial that organizations apply a blocking rule to stop attackers from accessing the PowerShell distant service via the Autodiscover endpoint on affected methods. The firm claimed — and safety researchers agreed — that the blocking rule would assist stop recognized exploit patterns towards the ProxyNotShell vulnerabilities.
Novel New Exploit Chain
This week, nonetheless, researchers at CrowdStrike mentioned they’d noticed the risk actors behind Play ransomware use a brand new methodology to use CVE-2022-41082 that bypasses Microsoft’s mitigation measure for ProxyNotShell.
The methodology entails the attacker exploiting one other — and little-known — SSRF bug in Exchange server tracked as CVE-2022-41080 to entry the PowerShell distant service through the Outlook Web Access (OWA) entrance finish, as a substitute of the Autodiscover endpoint. Microsoft has assigned the bug the identical severity score (8.8) because it has for the SSRF bug within the authentic ProxyNotShell exploit chain.
CVE-2020-41080 permits attackers to entry the PowerShell distant service and use it to use CVE-2022-41082 in precisely the identical means as they may when utilizing CVE-2022-41040, CrowdStrike mentioned. The safety vendor described the Play ransomware group’s new exploit chain as a “beforehand undocumented solution to attain the PowerShell remoting service via the OWA frontend endpoint, as a substitute of leveraging the Autodiscover endpoint.”
Because Microsoft’s ProxyNotShell mitigation solely blocks requests made to the Autodiscover endpoint on Microsoft Exchange server, requests to entry the PowerShell distant service through the OWA entrance finish won’t be blocked, the safety vendor defined.
CrowdStrike has christened the brand new exploit chain involving CVE-2022-41080 and CVE-2022-41082 as “OWASSRF.”
Patch Now or Disable OWA
“Organizations ought to apply the Nov. 8, 2022, patches for Exchange to stop exploitation for the reason that URL rewrite mitigations for ProxyNotShell are usually not efficient towards this exploit methodology,” CrowdStrike warned. “If you can’t apply the KB5019758 patch instantly, it is best to disable OWA till the patch may be utilized.”
Microsoft didn’t reply instantly to a request for remark.
CrowdStrike mentioned it found the brand new exploit chain when investigating a number of current Play ransomware intrusions the place the preliminary entry vector was through a Microsoft Exchange Server vulnerability. The researchers rapidly discovered that Play ransomware attackers had exploited the ProxyNotShell RCE vulnerability (CVE-2022-41082) to drop legit payloads for sustaining entry and performing anti-forensics strategies on compromised Microsoft Exchange Servers.
However, there was no signal that they’d used CVE-2022-41040 as a part of the exploit chain. CrowdStrike’s additional investigation confirmed that the attackers had used CVE-2022-41080 as a substitute.
The safety vendor’s suggestions to organizations for lowering their publicity to the brand new risk contains disabling distant PowerShell for nonadministrative customers the place doable and utilizing EDR instruments to detect Web companies spawning PowerShell processes. The firm has additionally offered a script that directors can use to watch Exchange servers for indicators of exploitation.