Play ransomware attacks use a new exploit to bypass ProxyNotShell mitigations on Exchange servers

Play ransomware attacks target Exchange servers with a new exploit that bypasses Microsoft’s ProxyNotShell mitigations.

Play ransomware operators target Exchange servers using a new exploit chain, dubbed OWASSRF by Crowdstrike, that bypasses Microsoft’s mitigations for ProxyNotShell vulnerabilities.

The ProxyNotShell flaws are:

• CVE-2022-41040 – Microsoft Exchange Server Elevation of Privilege Vulnerability
• CVE-2022-41082 – Microsoft Exchange Server Remote Code Execution Vulnerability

they impact Exchange Server 2013, 2016, and 2019, an authenticated attacker can trigger them to elevate privileges to run PowerShell in the context of the system and gain arbitrary or remote code execution on vulnerable servers.

Microsoft addressed both vulnerabilities with the release of Patch Tuesday updates for November 2022 security updates.

The exploit was used by attackers to bypass URL rewrite mitigations for the Autodiscover endpoint implemented by Microsoft in response to ProxyNotShell. Then the ransomware gang leveraged legitimate Plink and AnyDesk executables to maintain access, and performed anti-forensics techniques on the Microsoft Exchange server in an attempt to hide their activity.

“CrowdStrike recently discovered a new exploit method (called OWASSRF) consisting of CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution (RCE) through Outlook Web Access (OWA). The new exploit method bypasses URL rewrite mitigations for the Autodiscover endpoint provided by Microsoft in response to ProxyNotShell.” reads the analysis published by Crowdstrike. “After initial access via this new exploit method, the threat actor leveraged legitimate Plink and AnyDesk executables to maintain access, and performed anti-forensics techniques on the Microsoft Exchange server in an attempt to hide their activity.”

In the attacks investigated by the experts, the threat actor cleared Windows Event Logs on affected backend Exchange servers to prevent investigation on the PowerShell commands used by the attackers.

CrowdStrike security researchers were working to develop proof-of-concept (POC) code in an attempt to reproduce the one used in recent Play ransomware attacks. Simultaneously, a researcher from
HuntressLabs discovered an attacker’s tooling via an open repository and shared it through a MegaUpload link.

The leaked tools included a Python script, poc.py, that when executed, led CrowdStrike researchers to replicate the logs generated in recent Play ransomware attacks.

CrowdStrike researchers Dray Agha replicated the exploit method attack on Exchange systems that were not patched against ProxyNotShell, but could not replicate the attack on patched systems.

Organizations are recommended to apply Microsoft’s November 2022 security updates immediately, disable remote PowerShell for non-administrative users, and to deploy endpoint detection and response (EDR) tools.

Users that cannot apply the KB5019758 patch immediately should disable OWA until the patch can be applied.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]