As the new year begins, threat actors associated with Play ransomware have begun using an exploit that bypasses ProxyNotShell mitigations for Microsoft Exchange servers.
This exploit chain, known as OWASSRF, utilizes an innovative technique that bypasses ProxyNotShell URL rewrite mitigations and grants remote code execution through Outlook Web Access (OWA).
Researchers are now advising organizations with unpatched Exchange servers to disable OWA until a fix for CVE-2022-41080 can be applied.
CVE-2022-41040
In November, Microsoft issued URL rewrite mitigations for the Autodiscover endpoint to patch a ProxyNotShell flaw (CVE-2022-41040), which allows remote code execution (RCE). Unfortunately, Play ransomware actors have discovered an exploit chain that circumvents these URL rewrite mitigations.
The new exploit method, OWASSRF, allows attackers to gain Remote Code Execution on Exchange servers via Outlook Web Access. The attack chain relies on two vulnerabilities: CVE-2022-41040 – a server-side request forgery flaw with a CVSS score of 8.8; and CVE-2022-41080 – a remote privilege escalation bug with an CVSS score of 8.0.
CVE-2022-41040 allows an attacker with the right credential combination to access the privileged PowerShell API endpoint in an Exchange environment, located at https://%exchange server domain%/powershell. The vulnerability arises due to insufficient filtering of input data during Autodiscover.
CrowdStrike Services recently posted a blog post detailing how this exploit technique had been employed in “several” Play ransomware attacks and was “relatively effective,” though exactly how many attacks have taken place yet remains unknown. Furthermore, this exploit technique circumvents URL rewrite mitigations which had previously proven successful against previous attacks.
CrowdStrike researchers recently identified OWASSRF, which uses SSRF instead of Autodiscover and is known as OWASSRF. They observed it in IIS and Remote PowerShell logs; further investigation revealed that Microsoft’s Defender AV also detected it with robust detection for exploit behavior related to this threat.
Organizations should apply the November 8 security updates to Exchange in order to reduce risk. They also ensure X-Forwarded-For logging is enabled for requests made to Exchange proxied services like Remote PowerShell and IIS, in order to detect any evidence of exploit. Furthermore, organizations should monitor Exchange server logs closely and consider applying application-level controls such as web application firewalls to prevent further attacks.
CVE-2022-41080
Microsoft released URL rewrite mitigations in response to ProxyNotShell, but ransomware actors have discovered an exploit method that circumvents those safeguards and grants them initial access to Exchange servers. A recent research report from CrowdStrike indicates Play ransomware actors have begun employing this new exploit technique for initial access, taking advantage of a CVE-2022-41080 flaw that permits remote code execution (RCE) through Outlook Web Access (OWA).
The Autodiscover endpoint on a remote Microsoft Exchange server can be accessed by sending an authenticated request to the front end, which handles client connection management. This request then triggers path confusion exploit (CVE-2022-41040), which allows attackers to reach backend services using arbitrary URLs.
Once the initial attack sequence is complete, an attacker can continue their exploit chain by accessing PowerShell remoting service through OWA frontend endpoint instead of Autodiscover endpoint. Although this frontend endpoint has never been observed before in the wild, it could provide a new technique to bypass URL rewrite mitigations.
To reduce the risk, administrators must monitor Exchange servers for signs of exploitation in IIS and Remote PowerShell logs, as well as consider application-level controls like web application firewalls to make sure X-Forwarded-For headers log true external IP addresses when requests to proxied services. Furthermore, organizations should disable Outlook Web Access (OWA) until November 2022 Exchange Server patches are applied in order to prevent any potential exploitation of OWASSRF vector.
Though the number of Exchange Servers vulnerable to ProxyNotShell has decreased since November 20, there are still many that remain accessible without patches, according to Tenable Network Security. Despite this decrease, CISA’s Known Exploited Vulnerabilities catalog lists CVE-2022-41080 and CVE-2023-21674 as vulnerabilities being actively exploited in the wild.
Microsoft Exchange continues to be targeted by cybercriminals due to a lack of patched legacy vulnerabilities. These remain prime targets for threat actors who use various exploits to gain access to systems and operate them remotely. These weaknesses provide them with opportunities to steal data, compromise networks and launch ransomware campaigns with ease.
CVE-2022-41082
Microsoft recently released updates to address two vulnerabilities affecting Microsoft Exchange servers, CVE-2022-41040 and CVE-2022-41082, that had been identified in CVE-2022-41040 and CVE-2022-41082, respectively. According to CrowdStrike researchers, recent ransomware exploits demonstrate an exploit technique which circumvents ProxyNotShell mitigations for Microsoft Exchange.
The first vulnerability, CVE-2022-41040, is a path confusion exploit that allows an attacker to access the Autodiscover endpoint and reach the Exchange backend for arbitrary URLs. CVE-2022-41082 allows an attacker to execute arbitrary code. These flaws allow adversaries to conduct pre-authenticated remote code execution (RCE) on unpatched Exchange Servers both online and off.
Though this attack pattern has been seen before, CrowdStrike researchers have developed a novel exploit chain called OWASSRF. This involves server-side request forgery (SSRF), similar to the Autodiscover technique and exploiting CVE-2022-41080 and CVE-2022-41082 together in order to gain remote code execution through Outlook Web Access (OWA).
CrowdStrike Services notes that this exploit technique is being employed by the Play ransomware group and could potentially impact organizations with Exchange Servers vulnerable to ProxyNotShell mitigations. To mitigate the threat, organizations can add a blocking rule to IIS Manager > Default Web Site > Autodiscover > URL Rewrite for the pattern “.*autodiscover.json.*@.*Powershell.”
Organizations can scan IIS log files for signs of exploitation. CrowdStrike Services developed a script that analyses these logs for evidence, and application-level controls such as web application firewalls should also be considered to ensure the X-Forwarded-For header is configured to log true external IP addresses when requests are made to proxied services, according to researchers.
Similar to other security vulnerabilities, this exploit requires authenticated access to an Exchange server in order for attackers to take advantage of it. As such, organizations should apply the November 2022 patches released by Microsoft on Patch Tuesday and monitor IIS and Remote PowerShell logs for signs of exploitation, according to their research team. Those who cannot install these patches temporarily are encouraged to disable OWA temporarily.
OWASSRF
Research by CrowdStrike reveals that DEV-0671, a threat actor group which has affected federal organizations with its new ransomware payload, has been exploiting an exploitable zero-day flaw in Microsoft Exchange for at least one month to circumvent ProxyNotShell mitigations. According to their investigation, this OWASSRF vulnerability (CVE-2022-41080) has enabled them to compromise servers at both on-premises and cloud providers of Exchange services.
This exploit exploits vulnerabilities CVE-2022-41040 and CVE-2022-41082 together, allowing remote code execution (RCE) via Outlook Web Access (OWA). It circumvents Microsoft’s URL rewrite defenses provided for Autodiscover endpoint in response to ProxyNotShell request.
OWASSRF was employed in several attacks by the Play ransomware gang, and CrowdStrike Services has investigated several intrusions that utilized this exploit method. Research indicates that threat actors were able to circumvent URL rewrite defenses because their requests were made directly through Outlook Web Application (OWA) endpoint rather than via backend ProxyNotShell service.
CrowdStrike cautions that this OWASSRF exploit method may not be applicable to all Exchange systems due to some backend services required by the ProxyNotShell patch. Customers can protect themselves from OWASSRF attacks by applying the November 8, 2022 patches for Exchange and following Microsoft recommendations to disable remote PowerShell access for non-administrative users whenever feasible.
The OWASSRF exploit is being repurposed in attack campaigns by the Play ransomware group and Cuba ransomware group. To mitigate these attacks, security organizations need to implement advanced endpoint detection and response (EDR) tools at all endpoints to detect web services that spawn PowerShell or command line processes. If an EDR tool detects a process suspicious for this vulnerability, it can block its exploitation of CVE-2022-41080 and CVE-2022-41082 by threat actors.
