OWASSRF, a new exploit for Exchange vulnerabilities, exploited in the wild: everything you need to know

A new exploit method targeting CVE-2022-41080 and CVE-2022-41082 vulnerabilities in Exchange servers, which can bypass previous workarounds, has been discovered and exploited in the wild. Organizations should patch urgently.

3 minutes read

A new exploit method, referred to as OWASSRF, has been discovered by researchers and exploited in the wild. This exploit combines CVE-2022-41080 and CVE-2022-41082 to enable remote code execution (RCE) through Outlook Web Access (OWA). The OWASSRF exploit successfully bypasses URL rewrite mitigations previously provided by Microsoft for ProxyNotShell. 

What is OWASSRF? 

On September 29, 2022, reports emerged of active exploitation of two zero-day vulnerabilities in Microsoft Exchange, which could allow remote code execution (RCE). These vulnerabilities were identified by Microsoft as CVE-2022-41040, a server-side request forgery (SSRF) vulnerability, and CVE-2022-41082, which allows RCE. These vulnerabilities were collectively referred to as ProxyNotShell. 

On December 20th, researchers detected a new exploit that has been used by malicious actors to bypass the mitigations suggested by Microsoft and dubbed it OWASSRF. While the original ProxyNotShell exploit targeted CVE-2022-41040, the flaw used by the new exploit is likely to be CVE-2022-41080, a critical security flaw that allows for remote privilege escalation on Exchange servers and has not previously been observed being exploited in the wild.  

Timeline 

  • September 29, 2022 - The ProxyNotShell exploit was detected in the wild, targeting vulnerabilities CVE-2022-41040 and CVE-2022-41082.  

  • November 8, 2022 - Microsoft released its November Patch Tuesday, which included patches for six Microsoft Exchange vulnerabilities, including CVE-2022-41040, CVE-2022-41082, and CVE-2022-41080. The latter vulnerability had not previously been observed being exploited in the wild.  

  • December 20, 2022 – OWASSRF exploit detected in the wild, used by the Play ransomware group using CVE-2022-41080 and CVE-2022-41082 to enable RCE through Outlook Web Access. 

Wiz Research data: how many organizations are vulnerable?       

Based on our data, 80% of cloud environments that use vulnerable Microsoft Exchange products have patched their Exchange servers against the exploited vulnerabilities.  

What sort of exploitation has been identified in the wild? 

The Play ransomware group has deployed OWASSRF to bypass ProxyNotShell URL rewrite mitigations and achieve remote code execution (RCE) on vulnerable servers through Outlook Web Access (OWA). The group primarily targets the Latin American region, with Brazil being the top target. Their tactics, techniques, and procedures (TTPs) are similar to those used by the Hive and Nokayawa ransomware families, including the use of AdFind, a command-line query tool used to gather information from Active Directory. To execute arbitrary commands on compromised servers, the ransomware operators leveraged Remote PowerShell to abuse the CVE-2022-41082 vulnerability, which was also exploited by the ProxyNotShell exploit. Additional tools used by the group include Connectwise Screen Connect and BITSadmin.   

Which products are affected? 

  • Microsoft Exchange Server 2013 before KB5019758 

  • Microsoft Exchange Server 2016 before KB5019758 

  • Microsoft Exchange Server 2019 before KB5019758 

Which TTPs & IOCs should I search for in my environment? 

The following TTPs and IOCs have been published by multiple researchers (see references) that can be used to detect compromised Exchange servers:

TacticIOC/Tools
TA0001 - Initial Access45[.]76[.]141[.]84
TA0001 - Initial Access45[.]76[.]143[.]143
TA0001 - Initial Access179[.]60[.]149[.]28
TA0002 - ExecutionPowershell spawned by IIS ('w3wp.exe')
TA0003 - PersistenceBITSadmin
TA0006 - Credential AccessMimikatz
TA0002 – Execution / TA0009 - CollectionScreen Connect

Which actions should security teams take? 

  • Microsoft released an update, KB5019758, as path of November patch Tuesday to fix the above vulnerabilities. It is recommended to update to this KB or later ones. If you cannot apply the KB5019758 patch immediately, you should disable OWA until the patch can be applied. 

  • If patching is not possible, it is recommended to disable remote PowerShell for non-administrative users where possible and restrict Access to External-Facing Exchange Servers. 

  • Exchange Online customers do not need to take any additional action as they are already protected. 

  • Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for vulnerable instances in their environment.   

References 

Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server 

Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082 

CVE-2022-41080, CVE-2022-41082: Rapid7 Observed Exploitation of `OWASSRF` in Exchange for RCE 

OWASSRF: CrowdStrike Identifies New Exploit Method for Exchange Bypassing ProxyNotShell Mitigations 

Original publication of the exploit by Huntress 

 

Tags:
#Security

Secure everything you build and run in the cloud

Organizations of all sizes and industries use Wiz to rapidly identify and remove the most critical risks in AWS, Azure, GCP, OCI, and Kubernetes so they can build faster and more securely.

Continue reading

Automatically discover and secure your APIs with Wiz Dynamic Scanner

Wiz enhances its Dynamic Scanner to detect publicly exposed, unauthenticated APIs

Wiz introduces Dangling Domain Detection to help you prevent subdomain takeovers

Easily detect dangling domains to reduce the risk of phishing campaigns and cookie harvesting of organization’s customers.

Wiz enhances dynamic scanner to analyze and validate external exposure

Wiz extends its cloud analysis with an external scanner, giving customers an attacker's view of their externally exposed resources to reduce noise.