Ransomware groups bypass ProxyNotShell mitigations with new exploit
CrowdStrike security researchers have discovered a new exploit that allows criminals to use Outlook Web Access to remotely execute code on Microsoft Exchange Server.
The method, called Outlook Web Access Server-Side Request Forgery (OWASSRF), uses two vulnerabilities to bypass Microsoft’s ProxyNotShell mitigations and access Exchange servers, which could now be subject to a wave of new cyberattacks.
The two flaws, CVE-2022-41040 and CVE-2022-41082, can be enabled by an attacker to execute Microsoft’s task automation and configuration management program, Powershell, and gain the ability to execute remote code.
CrowdStrike discovered that the Play Ransomware group operators had been using OWASSRF to access Microsoft Exchange Server, before attempting to mask their actions by clearing Windows event logs on the affected backend Exchange servers.
“After initial access via this new exploitation method, the threat actor leveraged legitimate Plink and AnyDesk executables to maintain access and performed anti-forensic techniques on the Microsoft Exchange server in an attempt to conceal their activity,” CrowdStrike said. in a press release.
CrewYestricycle Researchers had been working to develop proof-of-concept code to emulate the breach. While researcher Dray Agha was able to recreate the exploit method attack on Exchange systems that had not been patched against ProxyNot Shell, he was unable to do so with patched systems.
179.60.149.28
– Initial access #ProxyNotShell
– Bitsadmin to download tools (http://179.60.149.28:4427/).
– Screen Connect installed, ID: b81d2f07c9163bf5, URL: instance-cmjrni-relay.screenconnect[.]com
– Mimikatz deployedTracked and saved your tools, you can access… pic.twitter.com/8vA3LNtpul
– Dray Agha (@Purp1eW0lf) December 14, 2022
Organizations have been recommended to disable Remote PowerShell for non-administrator users, update to Microsoft’s November 2022 security updates, and implement endpoint detection and response tools.
Organizations that for some reason cannot apply Microsoft’s November patches should disable Outlook Web Access.