Ransomware Uses New Exploit to Bypass ProxyNotShell Mitigations

Recent Play ransomware attacks targeting Exchange servers were observed using a new exploit chain that bypasses Microsoft’s ProxyNotShell mitigations.

Similar to the old ProxyShell vulnerability, ProxyNotShell consists of two security defects in Exchange Server: CVE-2022-41040, a server-side request forgery (SSRF) bug with a CVSS score of 8.8; and CVE-2022-41082, a remote code execution (RCE) flaw with a CVSS score of 8.0.

The two vulnerabilities were initially reported in September, when they were already being exploited in attacks. Microsoft addressed these bugs as part of its November 2022 Patch Tuesday security updates.

The ProxyNotShell exploit chain targets CVE-2022-41040 to access the Autodiscover endpoint and reach the Exchange backend for arbitrary URLs, after which CVE-2022-41082 is exploited to execute arbitrary code. In response, Microsoft deployed a series of URL rewrite mitigations for the Autodiscover endpoint.

The recently observed Play ransomware attacks, however, gain initial access by means of a new exploit chain – which CrowdStrike has named OWASSRF – that involves a SSRF equivalent to the Autodiscover technique and the exploit used in the second step of ProxyNotShell.

OWASSRF provides attackers with access to the PowerShell remoting service through the Outlook Web Application (OWA) instead of Autodiscover. The attack likely exploits CVE-2022-41080, a high-severity privilege escalation flaw impacting Exchange Server 2016 and 2019, the cybersecurity firm says.

CVE-2022-41080 was resolved on November 8 alongside ProxyNotShell vulnerabilities and another privilege escalation flaw, tracked as CVE-2022-41123, which is described as a DLL hijacking bug.

“CVE-2022-41080, has not been publicly detailed but its CVSS score of 8.8 is the same as CVE-2022-41040 used in the ProxyNotShell exploit chain, and it has been marked ‘exploitation more likely’. Based on these findings, CrowdStrike assesses it is highly likely that the OWA technique employed is in fact tied to CVE-2022-41080,” CrowdStrike says.

Organizations are advised to apply Microsoft’s November 2022 patches as soon as possible, to mitigate ProxyNotShell and other exploited vulnerabilities, to disable remote PowerShell for non-administrative users, and to deploy endpoint detection and response (EDR) tools that can detect potential exploitation attempts.

Leave a Reply

Your email address will not be published.