The operators of a ransomware strain called Play have developed a new exploit chain for a critical remote code execution (RCE) vulnerability in Exchange Server that Microsoft patched in November.
The new method bypasses mitigations that Microsoft had provided for the exploit chain, meaning organizations that have only implemented those but have not yet applied the patch for it need to do so immediately.
The RCE vulnerability at issue (CVE-2022-41082) is one of two so-called "ProxyNotShell" flaws in Exchange Server versions 2013, 2016, and 2019 that Vietnamese security company GTSC publicly disclosed in November after observing a threat actor exploiting them. The other ProxyNotShell flaw, tracked as CVE-2022-41040, is a server-side request forgery (SSRF) bug that gives attackers a way to elevate privileges on a compromised system.
In the attack that GTSC reported, the threat actor utilized the CVE-2022-41040 SSRF vulnerability to access the Remote PowerShell service and used it to trigger the RCE flaw on affected systems. In response, Microsoft recommended that organizations apply a blocking rule to prevent attackers from accessing the PowerShell remote service through the Autodiscover endpoint on affected systems. The company claimed — and security researchers agreed — that the blocking rule would help prevent known exploit patterns against the ProxyNotShell vulnerabilities.
Novel New Exploit Chain
This week, however, researchers at CrowdStrike said they had observed the threat actors behind Play ransomware use a new method to exploit CVE-2022-41082 that bypasses Microsoft's mitigation measure for ProxyNotShell.
The method involves the attacker exploiting another — and little-known — SSRF bug in Exchange server tracked as CVE-2022-41080 to access the PowerShell remote service via the Outlook Web Access (OWA) front end, instead of the Autodiscover endpoint. Microsoft has assigned the bug the same severity rating (8.8) as it has for the SSRF bug in the original ProxyNotShell exploit chain.
CVE-2020-41080 allows attackers to access the PowerShell remote service and use it to exploit CVE-2022-41082 in exactly the same way as they could when using CVE-2022-41040, CrowdStrike said. The security vendor described the Play ransomware group's new exploit chain as a "previously undocumented way to reach the PowerShell remoting service through the OWA frontend endpoint, instead of leveraging the Autodiscover endpoint."
Because Microsoft's ProxyNotShell mitigation only blocks requests made to the Autodiscover endpoint on Microsoft Exchange server, requests to access the PowerShell remote service via the OWA front end will not be blocked, the security vendor explained.
CrowdStrike has christened the new exploit chain involving CVE-2022-41080 and CVE-2022-41082 as "OWASSRF."
Microsoft emphasized that the attack bypasses mitigations, but not the available patch for the issue.
“The reported method exploits vulnerable systems that have not applied our latest security updates," a Microsoft spokesperson told Dark Reading. "Customers should prioritize installing the latest updates, specifically our November 2022 Exchange Server updates.”
Patch Now or Disable OWA
CrowdStrike said it discovered the new exploit chain when investigating several recent Play ransomware intrusions where the initial access vector was via a Microsoft Exchange Server vulnerability. The researchers quickly found that Play ransomware attackers had exploited the ProxyNotShell RCE vulnerability (CVE-2022-41082) to drop legitimate payloads for maintaining access and performing anti-forensics techniques on compromised Microsoft Exchange Servers.
However, there was no sign that they had used CVE-2022-41040 as part of the exploit chain. CrowdStrike's further investigation showed that the attackers had used CVE-2022-41080 instead.
"Organizations should apply the Nov. 8, 2022, patches for Exchange to prevent exploitation since the URL rewrite mitigations for ProxyNotShell are not effective against this exploit method," CrowdStrike warned, echoing Microsoft. "If you cannot apply the KB5019758 patch immediately, you should disable OWA until the patch can be applied."
The security vendor's other recommendations to organizations for reducing their exposure to the new threat includes disabling remote PowerShell for non-administrative users where possible and using EDR tools to detect Web services spawning PowerShell processes. The company has also provided a script that administrators can use to monitor Exchange servers for signs of exploitation.