New year, new exploit.
This time, it’s another exploit for Microsoft Exchange Server, and it’s out in the wild being actively used to gain control of unsuspecting organisations’ email servers.
Microsoft Exchange 2013, 2016 and 2019 has an RCE vulnerability (CVE-2022-41082) that allows threat actors to open an elevated remote PowerShell service, and from there, they effectively have the keys to the kingdom. A Ransomware group known as Play has developed an exploit chain that bypasses mitigations that Microsoft had provided for the exploit chain, meaning organisations that have only implemented those but have not yet applied the patch for it needs to do so immediately.
This vulnerability is one of 2 “ProxyNotShell” flaws in Microsoft Exchange Server; the other tracked as CVE-2022-41040, is a server-side request forgery (SSRF) bug that gives attackers a way to elevate privileges on a compromised system.
Microsoft has previously recommended that organisations apply a blocking rule to prevent attackers from accessing the PowerShell remote service through the Autodiscover endpoint on affected systems. They claim the blocking rule will help prevent known exploit patterns against the “ProxyNotShell” vulnerabilities.
New Exploit Chain Found
The big problem with the above is that an attack method is being observed in the wild that uses a 3rd little-known SSRF bug in Exchange server tracked as CVE-2022-41080 to access the PowerShell remote service via the Outlook Web Access (OWA) front end instead of the Autodiscover endpoint. Microsoft has assigned the bug the same severity rating (8.8) as the SSRF bug in the original “ProxyNotShell” exploit chain. This vulnerability allows attackers to access the PowerShell remote service and use it to exploit CVE-2022-41082 in the same way they could when using CVE-2022-41040. This is a previously undocumented way to reach the PowerShell remoting service through the OWA frontend endpoint instead of leveraging the Autodiscover endpoint. This new exploit chain involving CVE-2022-41080 and CVE-2022-41082 is known as “OWASSRF”.
The new exploit chain was discovered when investigating several recent Play ransomware intrusions where the initial access vector was via a Microsoft Exchange Server vulnerability. The researchers quickly found that Play ransomware attackers had exploited the “ProxyNotShell” RCE vulnerability CVE-2022-41082 to drop legitimate payloads for maintaining access and performing anti-forensics techniques on compromised Microsoft Exchange Servers.
Patch Now or Disable OWA
So what can you do to mitigate this attack risk? Microsoft themselves advise that “organisations should apply the Nov. 8, 2022 patches for Exchange to prevent exploitation since the URL rewrite mitigations for “ProxyNotShell” are not effective against this exploit method; if you cannot apply the KB5019758 patch immediately, you should disable OWA until the patch can be applied.”
What Else Can You Do?
If you still have on-premises / hosted Microsoft Exchange Servers in production, migration to Microsoft 365 should be considered for the longer term. Other practices that can be implemented now to help protect yourself:
- Disable remote PowerShell for non-administrative users where possible
- As previously mentioned, apply the KB5019758 patch immediately
- If, for whatever reason, the patch cannot be installed, disable OWA
- Implement an EDR tool to help detect web services spawning PowerShell processed; Planet IT recommends the Sophos Intercept X Advanced with EDR product if you have an in-house SOC team to manage it
- If you don’t have an in-house SOC team, a managed SOC should be seriously considered; Planet IT highly recommends the Sophos MDR service
- CrowdStrike has released a PowerShell script to help detect signs of exploitation and use it at your own risk.
Also check our our CyberSecurity page on our website