New Exchange attack bypasses ProxyNotShell mitigations

Home / Threat Intelligence bulletins / New Exchange attack bypasses ProxyNotShell mitigations

Overview

The Play ransomware group has been observed attacking unpatched Microsoft Exchange servers through a combination of exploits that researchers are calling OWASSRF.

The attack chain exploits the same authenticated remote code execution (RCE; CVE-2022-41082) used in the ProxyNotShell attack, patched in November but targeted via an SSRF (CVE-2022-41080) in the Outlook Web Access (OWA) endpoint rather than the Autodiscover endpoint. By doing this, the attack bypasses URL rewrite mitigations that Microsoft previously recommended and provided through their Emergency Mitigation Service.

The exploit code has been published by researchers and is now available for other threat actors to use.

Impact

A malicious remote attacker can execute PowerShell on an unpatched Exchange server.

Affected Products

Exchange Server 2019, 2016, and 2013 without the 8th November patch.

Containment, Mitigations & Remediations

KB5019758 contains details of the update.

Customers unable to update Exchange immediately should disable OWA until the patch is applied.

Microsoft recommends Exchange on-premise owners disable remote PowerShell access for non-admin users.

Indicators of Compromise

45.76.141[.]84
45.76.143[.]143

Exploitation attempts will show in IIS logs as posts to the following OWA URL:

https://{exchange_host}/owa/{email_address]/powershell

Threat Group

Play is a double-extortion ransomware group and has been linked to the Hive and Nokoyawa groups based on tactics, techniques and procedures (TTPs), victimology and attack chain commonalities.
All three are known to target victims in Latin American countries.

Threat Landscape

The original ProxyShell attack chain was a combination of exploits that would lead to remote code execution on an Exchange server.
ProxyNotShell was another attack which used the same SSRF vector.