Play ransomware operators target Exchange servers using a new exploit chain, dubbed OWASSRF by Crowdstrike, that bypasses Microsoft’s mitigations for ProxyNotShell vulnerabilities.
The ProxyNotShell flaws are:
- CVE-2022-41040 – Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2022-41082 – Microsoft Exchange Server Remote Code Execution Vulnerability
They impact Exchange Server 2013, 2016, and 2019, an authenticated attacker can trigger them to elevate privileges to run PowerShell in the context of the system and gain arbitrary or remote code execution on vulnerable servers.
Microsoft addressed both vulnerabilities with the release of Patch Tuesday updates for November 2022 security updates.
The exploit was used by attackers to bypass URL rewrite mitigations for the Autodiscover endpoint implemented by Microsoft in response to ProxyNotShell. Then the ransomware gang leveraged legitimate Plink and AnyDesk executables to maintain access, and performed anti-forensics techniques on the Microsoft Exchange server in an attempt to hide their activity.
