A new exploit method, referred to as OWASSRF, has been discovered by researchers and exploited in the wild. This exploit combines CVE-2022-41080 and CVE-2022-41082 to enable remote code execution (RCE) through Outlook Web Access (OWA). The OWASSRF exploit successfully bypasses URL rewrite mitigations previously provided by Microsoft for ProxyNotShell.
On September 29, 2022, reports emerged of active exploitation of two zero-day vulnerabilities in Microsoft Exchange, which could allow remote code execution (RCE). These vulnerabilities were identified by Microsoft as CVE-2022-41040, a server-side request forgery (SSRF) vulnerability, and CVE-2022-41082, which allows RCE. These vulnerabilities were collectively referred to as ProxyNotShell.
On December 20th, researchers detected a new exploit that has been used by malicious actors to bypass the mitigations suggested by Microsoft and dubbed it OWASSRF. While the original ProxyNotShell exploit targeted CVE-2022-41040, the flaw used by the new exploit is likely to be CVE-2022-41080, a critical security flaw that allows for remote privilege escalation on Exchange servers and has not previously been observed being exploited in the wild.
September 29, 2022 - The ProxyNotShell exploit was detected in the wild, targeting vulnerabilities CVE-2022-41040 and CVE-2022-41082.
November 8, 2022 - Microsoft released its November Patch Tuesday, which included patches for six Microsoft Exchange vulnerabilities, including CVE-2022-41040, CVE-2022-41082, and CVE-2022-41080. The latter vulnerability had not previously been observed being exploited in the wild.
December 20, 2022 – OWASSRF exploit detected in the wild, used by the Play ransomware group using CVE-2022-41080 and CVE-2022-41082 to enable RCE through Outlook Web Access.
Based on our data, 80% of cloud environments that use vulnerable Microsoft Exchange products have patched their Exchange servers against the exploited vulnerabilities.
The Play ransomware group has deployed OWASSRF to bypass ProxyNotShell URL rewrite mitigations and achieve remote code execution (RCE) on vulnerable servers through Outlook Web Access (OWA). The group primarily targets the Latin American region, with Brazil being the top target. Their tactics, techniques, and procedures (TTPs) are similar to those used by the Hive and Nokayawa ransomware families, including the use of AdFind, a command-line query tool used to gather information from Active Directory. To execute arbitrary commands on compromised servers, the ransomware operators leveraged Remote PowerShell to abuse the CVE-2022-41082 vulnerability, which was also exploited by the ProxyNotShell exploit. Additional tools used by the group include Connectwise Screen Connect and BITSadmin.
Microsoft Exchange Server 2013 before KB5019758
Microsoft Exchange Server 2016 before KB5019758
Microsoft Exchange Server 2019 before KB5019758
The following TTPs and IOCs have been published by multiple researchers (see references) that can be used to detect compromised Exchange servers:
|TA0001 - Initial Access||45[.]76[.]141[.]84|
|TA0001 - Initial Access||45[.]76[.]143[.]143|
|TA0001 - Initial Access||179[.]60[.]149[.]28|
|TA0002 - Execution||Powershell spawned by IIS ('w3wp.exe')|
|TA0003 - Persistence||BITSadmin|
|TA0006 - Credential Access||Mimikatz|
|TA0002 – Execution / TA0009 - Collection||Screen Connect|
Microsoft released an update, KB5019758, as path of November patch Tuesday to fix the above vulnerabilities. It is recommended to update to this KB or later ones. If you cannot apply the KB5019758 patch immediately, you should disable OWA until the patch can be applied.
If patching is not possible, it is recommended to disable remote PowerShell for non-administrative users where possible and restrict Access to External-Facing Exchange Servers.
Exchange Online customers do not need to take any additional action as they are already protected.
Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for vulnerable instances in their environment.