Share this article on:
A new exploit that allows bad actors to use Outlook Web Access to remotely run code on the Microsoft Exchange Server has been discovered by security researchers at CrowdStrike.
Dubbed Outlook Web Access Server-Side Request Forgery (OWASSRF), the method makes use of two vulnerabilities to sidestep Microsoft’s ProxyNotShell mitigations and access Exchange servers, which could now be subject to a wave of new cyber attacks.
The two flaws, being CVE-2022-41040 and CVE-2022-41082, can be triggered by an attacker to run Microsoft’s task automation and config management program Powershell, and gain the ability to run remote code.
CrowdStrike found that operators from the Play Ransomware group had been using OWASSRF to access the Microsoft Exchange Server, before attempting to mask their actions by clearing Windows Event Logs on affected backend Exchange servers.
“After initial access via this new exploit method, the threat actor leveraged legitimate Plink and AnyDesk executables to maintain access and performed anti-forensics techniques on the Microsoft Exchange server in an attempt to hide their activity,” said CrowdStrike in a press release.
CrowdStrike researchers had been working to develop proof-of-concept code to emulate the breach. While researcher Dray Agha was able to recreate the exploit method attack on Exchange systems that had not been patched against ProxyNot Shell, he was unable for patched systems.
179.60.149.28
— Dray Agha (@Purp1eW0lf) December 14, 2022
- Initial access #ProxyNotShell
- Bitsadmin to download tooling (http://179.60.149.28:4427/).
- Installed Screen Connect, ID: b81d2f07c9163bf5, URL: instance-cmjrni-relay.screenconnect[.]com
- Deployed Mimikatz
Crawled and saved their tools, you can access... pic.twitter.com/8vA3LNtpul
Organisations have been recommended to disable remote PowerShell for non-admin users, to update to Microsoft’s November 2022 security updates and deploy endpoint detection and response tools.
Organisations that for any reason are unable to apply the November Microsoft patches should disable Outlook Web Access.