Chris Swagler | January 11th, 2023

Cybersecurity researchers discovered a new exploit method, OWASSRF, being exploited in the wild. The exploit contains the combination of CVE-2022-41080 and CVE-2022-41082 vulnerabilities to allow remote code execution (RCE) through Outlook Web Access (OWA). The OWASSRF exploit has the capability of successfully bypassing URL rewrite mitigations for the Autodiscover endpoint Microsoft provided in response to ProxyNotShell.

The discovery was part of an investigation by a cybersecurity company into several Play ransomware intrusions where Microsoft Exchange was confirmed to be the common entry vector. Following the initial access using the new exploit method, threat actors used legitimate Plink and AnyDesk executables to maintain access and used anti-forensics tactics on the Microsoft Exchange server to conceal their behavior.

The front end, or the Client Access Service, and the back end are the two major components of a Microsoft Exchange Server. The front end oversees the management of all client connections and directs all requests to the appropriate backend service. The backend services handle all specific frontend requests, including URLs, known as endpoints. With a traditional ProxyNotShell exploit chain, the attack sequence is done in two steps. The Autodiscover endpoint, which is used to inform clients about services offered by the remote Microsoft Exchange server, is accessed using an authenticated request to the front end.

It’s accessed using a path confusion exploit, CVE-2022-41040 or a server-side request forgery (SSRF), which allows threat operators to reach the backend service or Remote PowerShell service for arbitrary URLs. A web request to the front end to exploit the SSRF vulnerability on CVE-2022-41040 includes various path confusion that refers to the Autodiscover endpoint. After the PowerShell remoting service is accessible, the second step requires exploiting vulnerability CVE-2022-41082 to execute arbitrary commands. The Remote PowerShell HTTP logs detail typical log entries indicating access to the PowerShell backend.

Incident responders noticed Remote PowerShell logs were like log entries for ProxyNotShell exploitation, implying threat actors are using Remote PowerShell. A POST request was discovered utilizing the [email protected] mailbox to the following OWA URL, {exchange_host}/owa/{email_address]/powershell, by correlating the users, IP addresses, and cafeReqld GUID from the Remote PowerShell HTTP logs to the Exchange frontend. The request appears to demonstrate a previously undocumented method of accessing the PowerShell remoting service using the OWA front end endpoint rather than the Autodiscover endpoint. Incident responders discovered that the creation timestamps of renamed Plink and AnyDesk executables on affected backend Exchange servers were closely correlated with PowerShell execution events in the Remote PowerShell logs which indicates that threat actors used the newly discovered exploit chain dropping other tools for persistent access to affected Exchange servers. Because threat actors cleared Windows Event Logs on affected backend Exchange servers, no additional information on the PowerShell commands used by threat actors was available. When researchers replicated the attack, events for the creation of an arbitrary process from PowerShell were discovered in PowerShell event logs.

The Play ransomware group used OWASSRF to bypass ProxyNotShell URL rewrite mitigations and gain remote code execution (RCE) on vulnerable servers through Outlook Web Access (OWA). The group’s primary target region is Latin America, with Brazil being the top target. The tactics, techniques, and procedures (TTPs) are identical to those used by the Hive and Nokayawa ransomware families, including using AdFind, a command-line query tool used to obtain Active Directory information. The ransomware operators used RemoteShell to exploit the CVE-2022-41082 vulnerability, which was exploited by the ProxyNotShell exploit, to execute arbitrary commands on compromised servers. The products that are affected by the new exploit are Microsoft Exchange Server 2013, 2016, and 2019 before the KB5019758 patch update.

With Business Email Compromise (BEC) attacks on the rise, accounting for over one-third of all successful cyberattacks, and ransomware groups utilizing new exploit methods to target new vulnerabilities, including Microsoft Exchange servers, it’s important for companies to remain ahead of the current threat landscape and regularly release update patches for their software. At SpearTip, our pre-breach advisory services allow our engineers to examine companies’ security postures to improve the weak points in their networks. Our team engages companies’ people, processes, and technology to measure the maturity of the technical environment. For all vulnerabilities we uncover, our experts will provide a technical roadmap ensuring companies have the awareness and support to optimize their overall cybersecurity posture. Our ShadowSpear Threat Hunting service is a critical pre-breach step in evaluating the effectiveness of companies’ current security measures and allows our engineers to hunt for and identify advanced malware.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.