Threat actors affiliated with the Play ransomware strain are leveraging a never-before-seen exploit method that bypasses Microsoft’s ProxyNotShell URL rewrite mitigation.
A New Exploit Chain
CrowdStrike researchers have discovered a new exploit method they have named OWASSRF, or Outlook Web Access Server-Side Request Forgery.
The novel exploit affects Exchange Server 2013, 2016 and 2019 by leveraging CVE-2022-41080 and CVE-2022-41082 allowing remote code execution (RCE) through Outlook Web Access (OWA). The two vulnerabilities bypass Microsoft’s earlier URL rewrite mitigations for the ProxyNotShell exploit. Organizations that have only implemented the URL rewrite mitigations but have not yet applied the patch need to do so immediately.
CrowdStrike’s research team described the Play ransomware group’s new exploit chain as a “novel, previously undocumented way to reach the PowerShell remoting service through the OWA frontend endpoint, instead of leveraging the Autodiscover endpoint.”
Microsoft has assigned the bug the same severity rating of (8.8) as it has for the original ProxyNotShell exploit chain and urges customers to prioritize installing the latest updates, specifically their November 2022 Exchange Server updates.
CrowdStrike’s Recommendations
- Organizations should apply the November 8, 2022 patches for Exchange to prevent exploitation since the URL rewrite mitigations for ProxyNotShell are not effective against this exploit method.
- If you cannot apply the KB5019758 patch immediately, you should disable OWA until the patch can be applied.
- Follow Microsoft recommendations to disable remote PowerShell for non-administrative users where possible.
- Deploy advanced endpoint detection and response (EDR) tools to all endpoints to detect web services spawning PowerShell or command line processes. CrowdStrike Falcon will detect the OWASSRF exploit method described in this blog, and will block the method if the prevention setting for Execution Blocking > Suspicious Processes is applied.
- Monitor Exchange servers for signs of exploitation visible in IIS and Remote PowerShell logs using this script developed by CrowdStrike Services.
- Consider application-level controls such as web application firewalls.
- Ensure X-Forwarded-For header is configured to log true external IP addresses for request to proxied services.
Reach out to Messageware to improve Microsoft Exchange Server Security
If you are not protecting all the protocols used by your Exchange Server, you’re putting your company at a higher risk of a data breach.
Security incidents happen frequently. They cause disruption, loss of data and potentially risk the reputation of your company. However, if you implement these steps, you’re doing more than most other companies. Have you heard about Messageware’s EPG that offers advanced Exchange Server security to protect organizations from a variety of logon and password attacks, as well as extensive real-time reporting and alerts of suspicious logon activity? Click here to learn more.