Two zero-day vulnerabilities in Microsoft Exchange were reportedly being actively exploited on September 29, 2022, with the potential to lead to remote code execution (RCE).
Background
The server-side request forgery (SSRF) vulnerability CVE-2022-41040 and the remote code execution (RCE) vulnerability CVE-2022-41082 were assigned to these vulnerabilities by Microsoft. Those vulnerabilities were referred to be ProxyNotShell as a whole.
Researchers discovered a new attack on December 20th and gave it the name OWASSRF. This exploit has been utilized by malicious actors to get beyond Microsoft’s advised mitigations. The recent ProxyNotShell attack is expected to target CVE-2022-41080, a major security vulnerability that permits remote privilege escalation on Exchange servers but has not yet been seen being utilized in the wild. The initial ProxyNotShell exploit targeted CVE-2022-41040.
Timeline
- The ProxyNotShell exploit was detected in the wild, targeting vulnerabilities CVE-2022-41040 and CVE-2022-41082 on September 29, 2022.
- Microsoft released its November Patch Tuesday, which included patches for six Microsoft Exchange vulnerabilities, including CVE-2022-41040, CVE-2022-41082, and CVE-2022-41080 on November 8, 2022.
- OWASSRF exploit detected in the wild, used by the Play ransomware group using CVE-2022-41080 and CVE-2022-41082 to enable RCE through Outlook Web Access on December 20, 2022.
OWASSRF Analysis
The discovery was made as part of a cybersecurity firm’s study into a number of Play ransomware intrusions, where it was determined that Microsoft Exchange was the usual entry point. Threat actors employed legal Plink and AnyDesk executables to maintain access after the first access using the new exploit approach, and they used anti-forensics techniques on the Microsoft Exchange server to hide their actions.
The two main parts of a Microsoft Exchange Server are the front end, also known as the Client Access Service, and the back end. All client connections are managed by the front end, which also routes all requests to the proper backend service. All individual frontend queries, including endpoint URLs, are handled by the backend services. Traditional ProxyNotShell exploit chains involve a two-step attack procedure. An authorized request to the front end is used to access the Autodiscover endpoint, which is used to notify clients about the services provided by the remote Microsoft Exchange server.
The backend service or Remote PowerShell service can be accessed using the path confusion exploit, CVE-2022-41040, or a server-side request forgery (SSRF), which enables threat operators to access them for any URL. In order to take advantage of the SSRF vulnerability on CVE-2022-41040, a web request to the front end contains multiple path confusion that refers to the Autodiscover endpoint. The second stage needs exploiting vulnerability CVE-2022-41082 to issue arbitrary commands after the PowerShell remoting service is available. The common log entries showing access to the PowerShell backend are described in the Remote PowerShell HTTP logs.
Bypassing ProxyNotShell URL rewrite mitigations and gaining remote code execution (RCE) on susceptible servers via Outlook Web Access, the Play ransomware group exploited OWASSRF (OWA). Latin America is the group’s main target region, with Brazil as the main objective. The ransomware families Hive and Nokayawa both employ the same tactics, methods, and procedures (TTPs), including the use of AdFind, a command-line query tool for obtaining Active Directory information. In order to run arbitrary commands on infected servers, the ransomware developers used RemoteShell to take advantage of the CVE-2022-41082 vulnerability, which was exploited by the ProxyNotShell attack. Microsoft Exchange Server 2013, 2016, and 2019 are the products that are vulnerable to the new exploit before the KB5019758 patch release.
The OWASSRF attack chain has been used to compromise Microsoft Exchange Servers running software versions 2013, 2016, and 2018, according to the most recent analysis from Rapid7. Exchange servers using Microsoft mitigations may be impacted, according to Rapid7 researchers, whereas patched systems appear to be unaffected.
Recommendations
- To address the aforementioned vulnerabilities, Microsoft released a patch, KB5019758, as part of November Patch Tuesday. Updates to this KB or later ones are advised. You should disable OWA until the KB5019758 fix can be implemented if you are unable to do so right away.
- Disabling remote PowerShell for non-administrative users and limiting access to external-facing Exchange servers are advised if patching cannot be done.
- Use cutting-edge endpoint detection and response (EDR) tools to detect online services that launch PowerShell or command-line processes on all endpoints.
- Make sure the X-Forwarded-For header is set up to record actual external IP addresses when a request is made to a proxied service.
Software and security systems should also be kept up to date because new vulnerabilities are frequently found and fixed. Regular penetration testing and vulnerability assessments can also assist in spotting possible problems and resolving them before they can be used by attackers. - It’s crucial to thoroughly validate each user’s input and to make use of a security architecture that can identify and deny fraudulent requests. It can also help to reduce the danger of an attack to restrict what a user can do on the server, for example, by utilizing a whitelist of authorized URLs.