OWASSRF Exploit Detection: New Exploit Method Abuses Exchange Servers to Bypass ProxyNotShell (CVE-2022-41040 and CVE-2022-41082) Mitigations and Gain RCE
Table of contents:
On December 20, 2022, cybersecurity researchers uncovered a novel exploit method dubbed OWASSRF that involves chaining CVE-2022-41080 and CVE-2022-41082 vulnerabilities to gain RCE through privilege escalation via Outlook Web Access (OWA). OWASSRF is capable of bypassing ProxyNotShell mitigations. Cyber defenders highlight that these ongoing attacks pose a threat to an increasing number of Microsoft Exchange servers.
Detect OWASSRF Exploitation Attempts
Microsoft Exchange zero-day vulnerabilities known as ProxyNotShell have been actively exploited in the wild since September 2022 making cyber defenders from across the globe stay alert to their potential impact. With the discovery of a new exploit method called OWASSRF that takes advantage of chaining CVE-2022-41080 and CVE-2022-41082 vulnerabilities and bypasses Microsoft mitigations for ProxyNotShell, defenders have to brace themselves for a new threat.Â
To help global organizations timely identify potential compromises of their Microsoft Exhange servers, SOC Prime Platform curates a list of dedicated Sigma rules. These detection algorithms developed by SOC Prime Team and our Threat Bounty content contributor, Nasreddine Bencherchali, can be applied across industry-leading SIEM, EDR, XDR, and data analytics solutions. All Sigma rules are aligned with MITRE ATT&CK® addressing the Initial Access tactic with Exploit Public-Facing Application (T1190) technique applied as its major technique.Â
Join the forces of crowdsourced content development via the Threat Bounty Program to help the global cyber defender community stay ahead of attackers. Write your own Sigma rules tagged with ATT&CK, get them published to SOC Prime Platform, and earn both money and recognition from your industry peers.
Click the Explore Detections button to reach the full collection of newly released Sigma rules for the detection of OWASSRF exploitation attempts. Looking for metadata? Explore the relevant cyber threat context, including ATT&CK and CTI links, executable binaries, mitigations, and drill down for more details.
OWASSRF Analysis: Novel Exploitation Chain to Compromise Exchange Servers for Remote Code Execution
A major headache for security practitioners during the holiday season has been uncovered by CrowdStrike researchers. The recent inquiry details a novel exploitation method enabling adversaries to compromise Microsoft Exchange servers for RCE. Dubbed OWASSRF, the malicious technique allows attackers to bypass URL rewrite mitigations introduced by Microsoft for ProxyNotShell and achieve RCE via privilege escalation via Outlook Web Access (OWA).Â
Initially, OWASSRF has been observed during the research of Play ransomware campaigns. The adversaries relied on affected Exchange servers to penetrate the targeted network. Researchers suspected attackers leveraged a typical Microsoft Exchange ProxyNotShell (CVE-2022-41040, CVE-2022-41082). However, the log data showed no signs of CVE-2022-41040 being exploited for the initial access. Instead, the requests were spotted directly through the OWA endpoint, revealing an unknown exploit chain for Exchange.Â
The investigation revealed that attackers relied on another vulnerability while leveraging the OWASSRF method. Particularly, hackers exploited the CVE-2022-41080 enabling remote privilege escalation on Exchange servers. The flaw has been reported to Microsoft and fixed in November 2022. Interestingly, this security gap has been considered critical but not exploited in the wild at that time.Â
On December 14, 2022, the proof-of-concept (PoC) exploit has been posted on the web by Dray Agha researcher along with another offensive toolkit. According to CrowdStrike, this PoC matched the exploit used in Play ransomware attacks being utilized to deliver remote access tools such as Plink and AnyDesk.Â
According to the latest report by Rapid7, security experts are observing a growing rate of Microsoft Exchange Servers compromised via OWASSRF exploit chain, including software versions 2013, 2016, and 2018. Rapid7 researchers note that Exchange servers leveraging Microsoft mitigations can be affected, while the patched servers seem to remain not vulnerable. To timely protect their infrastructure, exposed organizations are urged to leverage November 8, 2022 Patch Tuesday fix by Microsoft addressing CVE-2022-41082. In case immediate patching is not an option, vendors are recommended to disable OWA completely.
As additional mitigation measures, vendors should follow Microsoft recommendations to disable PowerShell for users without admin privileges, constantly monitor their Exchange servers for any signs of compromise, apply web application firewalls, and adopt best security practices to keep the cyber hygiene.
Keep abreast of adversaries with proactive cyber defense capabilities right at hand, including 700 Sigma rules for existing vulnerabilities. Instantly reach 120+ detections for free or get fully equipped with On-Demand at https://my.socprime.com/pricing.