Get in Touch
New Exchange attack bypasses ProxyNotShell mitigations
The Play ransomware group has been observed attacking unpatched Microsoft Exchange servers through a combination of exploits that researchers are calling OWASSRF.
The attack chain exploits the same authenticated remote code execution (RCE; CVE-2022-41082) used in the ProxyNotShell attack, patched in November but targeted via an SSRF (CVE-2022-41080) in the Outlook Web Access (OWA) endpoint rather than the Autodiscover endpoint. By doing this, the attack bypasses URL rewrite mitigations that Microsoft previously recommended and provided through their Emergency Mitigation Service.
The exploit code has been published by researchers and is now available for other threat actors to use.
A malicious remote attacker can execute PowerShell on an unpatched Exchange server.
Exchange Server 2019, 2016, and 2013 without the 8th November patch.
Containment, Mitigations & Remediations
KB5019758 contains details of the update.
Customers unable to update Exchange immediately should disable OWA until the patch is applied.
Microsoft recommends Exchange on-premise owners disable remote PowerShell access for non-admin users.
Indicators of Compromise
Exploitation attempts will show in IIS logs as posts to the following OWA URL:
Play is a double-extortion ransomware group and has been linked to the Hive and Nokoyawa groups based on tactics, techniques and procedures (TTPs), victimology and attack chain commonalities.
All three are known to target victims in Latin American countries.
The original ProxyShell attack chain was a combination of exploits that would lead to remote code execution on an Exchange server.
ProxyNotShell was another attack which used the same SSRF vector.
T1210 – Exploitation of Remote Services
T1068 – Exploitation for Privilege Escalation
Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: 8th November 2022 (KB5019758)
OWASSRF: CrowdStrike Identifies New Exploit Method for Exchange Bypassing ProxyNotShell Mitigations
Rapid7 Observed Exploitation of `OWASSRF` in Exchange for RCE