New Exploit Method for Microsoft Exchange “OWASSRF”

316/2022
Critical
December 21, 2022
3:35 pm

Referring to EG-FinCIRT report “Microsoft November 2022 Patch Tuesday” Number 257/2022, Threat actors and ransomware groups discovered a new exploit method that bypasses Microsoft Exchange “ProxyNotShell” mitigations.

Threat actors leveraging a new exploit chain method called “OWASSRF” that bypasses blocking rules for “ProxyNotShell” (CVE-2022-41040 and CVE-2022-41082) vulnerabilities in Microsoft Exchange Server and taking advantage of the privilege escalation vulnerability (CVE-2022-41080) to achieve remote code execution (RCE) through Outlook Web Access (OWA).

The attackers bypass the URL rewrite mitigations for the “Autodiscover endpoint” by reaching the backend of the Exchange server with arbitrary URLs conducting SSRF, then targeting the Remote PowerShell backend service to execute arbitrary commands.

It is noticed that some threat actors dropped legitimate “Plink” and “AnyDesk” executables after the initial access, to be abused to maintain persistence and to hide their malicious activity on the Exchange server.

It should be highlighted that a proof-of-concept (PoC) Python script detected and leaked in the wild, which may be used by many threat actors for initial access.

Vulnerabilities

CVE-2022-41040
CVE-2022-41082
CVE-2022-41080

Mitigations

• Organizations should apply the November 8, 2022 patches for Exchange to prevent exploitation.

o Microsoft Security Update “KB5019758”.

• If Microsoft patch “KB5019758” is not installed, you should disable OWA until the patch can be applied.

• Follow Microsoft recommendations to disable remote PowerShell for nonadministrative users where possible.

• Deploy advanced endpoint detection and response (EDR) tools to all endpoints to detect web services spawning PowerShell or command line processes.

• Consider application-level controls such as web application firewalls.

• Implement application whitelisting, which only allows systems to execute programs known and permitted by the organization’s security policy.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Vulnerabilities

Mitigations

References