Operators behind the Play ransomware are now using a new exploit chain that bypasses ProxyNotShell mitigations to achieve remote code execution on vulnerable servers through Outlook Web Access (OWA).
The exploit, dubbed “OWASSRF,” was discovered by researchers with cybersecurity firm CrowdStrike while investigating several Play ransomware incidents that involved compromised Microsoft Exchange servers.
ProxyNotShell is a moniker for a set of two high-severity Microsoft Exchange vulnerabilities (CVE-2022-41082 and CVE-2022-41040) that have been exploited in hacker attacks linked to a China-based threat actor. CVE-2022-41082 is a code injection issue that allows a remote user with access to PowerShell Remoting execute arbitrary code on vulnerable Exchange systems, while CVE-2022-41040 allows a remote attacker to perform SSRF attacks. Both bugs were fixed as part of Microsoft’s November 2022 Patch Tuesday release.
The new exploit chain spotted by CrowdStrike involves a SSRF equivalent to the Autodiscover technique and the exploit used in the second step of ProxyNotShell. After gaining initial access the threat actor used legitimate Plink and AnyDesk executables to maintain access, and performed anti-forensics techniques on the Microsoft Exchange server in an attempt to fly under radar.
To execute arbitrary commands on hackers servers, the threat actor used Remote PowerShell to exploit the CVE-2022-41082 vulnerability.
“In each case, CrowdStrike reviewed the relevant logs and determined there was no evidence of exploitation of CVE-2022-41040 for initial access," the researchers explained. “Instead, it appeared that corresponding requests were made directly through the Outlook Web Application (OWA) endpoint, indicating a previously undisclosed exploit method for Exchange.”
The researchers said that the second flaw abused by OWASSRF is likely CVE-2022-41080, a vulnerability that allows a remote user to escalate privileges on a vulnerable Microsoft Exchange server.
“Organizations should apply the November 8, 2022 patches for Exchange to prevent exploitation since the URL rewrite mitigations for ProxyNotShell are not effective against this exploit method,” the researchers advised.
