Ransomware Hackers Using New Way to Bypass MS Exchange ProxyNotShell Mitigations

Threat actors affiliated with a ransomware strain known as Play are leveraging a never-before-seen exploit chain that bypasses blocking rules for ProxyNotShell flaws in Microsoft Exchange Server to achieve remote code execution (RCE) through Outlook Web Access (OWA).

“The new exploit method bypasses URL rewrite mitigations for the Autodiscover endpoint,” CrowdStrike researchers Brian Pitchford, Erik Iker, and Nicolas Zilio said in a technical write-up published Tuesday.

Play ransomware, which first surfaced in June 2022, has been revealed to adopt many tactics employed by other ransomware families such as Hive and Nokoyawa, the latter of which upgraded to Rust in September 2022.

The cybersecurity company’s investigations into several Play ransomware intrusions found that initial access to the target environments was not achieved by directly exploiting CVE-2022-41040, but rather through the OWA endpoint.

Dubbed OWASSRF, the technique likely takes advantage of another critical flaw tracked as CVE-2022-41080 (CVSS score: 8.8) to achieve privilege escalation, followed by abusing CVE-2022-41082 for remote code execution.

MS Exchange ProxyNotShell RCE

It’s worth noting that both CVE-2022-41040 and CVE-2022-41080 stem from a case of server-side request forgery (SSRF), which permits an attacker to access unauthorized internal resources, in this case the PowerShell remoting service.

CrowdStrike said the successful initial access enabled the adversary to drop legitimate Plink and AnyDesk executables to maintain persistent access as well as take steps to purge Windows Event Logs on infected servers to conceal the malicious activity.

All three vulnerabilities were addressed by Microsoft as part of its Patch Tuesday updates for November 2022. It’s, however, unclear if CVE-2022-41080 was actively exploited as a zero-day alongside CVE-2022-41040 and CVE-2022-41082.

The Windows maker, for its part, has tagged CVE-2022-41080 with an “Exploitation More Likely” assessment, implying it’s possible for an attacker to create exploit code that could be utilized to reliably weaponize the flaw.

CrowdStrike further noted that a proof-of-concept (PoC) Python script discovered and leaked by Huntress Labs researcher Dray Agha last week may have been put to use by the Play ransomware actors for initial access.

This is evidenced by the fact that the execution of the Python script made it possible to “replicate the logs generated in recent Play ransomware attacks.”

“Organizations should apply the November 8, 2022 patches for Exchange to prevent exploitation since the URL rewrite mitigations for ProxyNotShell are not effective against this exploit method,” the researchers said.

Update#

Cybersecurity company Rapid7, in a related advisory on Wednesday, said it has observed an “increase in the number of Microsoft Exchange Server compromises” through the aforementioned OWASSRF exploit chain to gain remote code execution.

“Patched servers do not appear vulnerable, servers only utilizing Microsoft’s mitigations do appear vulnerable,” Rapid7 researcher Glenn Thorpe noted. “Threat actors are using this to deploy ransomware.”

In a statement shared with The Hacker News, a Microsoft spokesperson said “the reported method exploits vulnerable systems that have not applied our latest security updates,” adding “customers should prioritize installing the latest updates, specifically our November 2022 Exchange Server updates.”