Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Ransomware groups bypass ProxyNotShell mitigations with new exploit

A new exploit that allows bad actors to use Outlook Web Access to remotely run code on the Microsoft Exchange Server has been discovered by security researchers at CrowdStrike.

user icon Daniel Croft
Fri, 30 Dec 2022
Ransomware groups bypass ProxyNotShell mitigations with new exploit
expand image

Dubbed Outlook Web Access Server-Side Request Forgery (OWASSRF), the method makes use of two vulnerabilities to sidestep Microsoft’s ProxyNotShell mitigations and access Exchange servers, which could now be subject to a wave of new cyber attacks.

The two flaws, being CVE-2022-41040 and CVE-2022-41082, can be triggered by an attacker to run Microsoft’s task automation and config management program Powershell, and gain the ability to run remote code.

CrowdStrike found that operators from the Play Ransomware group had been using OWASSRF to access the Microsoft Exchange Server, before attempting to mask their actions by clearing Windows Event Logs on affected backend Exchange servers.

============
============

“After initial access via this new exploit method, the threat actor leveraged legitimate Plink and AnyDesk executables to maintain access and performed anti-forensics techniques on the Microsoft Exchange server in an attempt to hide their activity,” said CrowdStrike in a press release.

CrowdStrike researchers had been working to develop proof-of-concept code to emulate the breach. While researcher Dray Agha was able to recreate the exploit method attack on Exchange systems that had not been patched against ProxyNot Shell, he was unable for patched systems.

Organisations have been recommended to disable remote PowerShell for non-admin users, to update to Microsoft’s November 2022 security updates and deploy endpoint detection and response tools.

Organisations that for any reason are unable to apply the November Microsoft patches should disable Outlook Web Access.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.