A new Microsoft Exchange flaw is being used to attack servers and deliver remote access tools and remote administration software, researchers have revealed.
Cybersecurity experts from CrowdStrike stumbled upon a new exploit chain while investigating a Play ransomware attack. After further analysis, it was concluded that the exploit chain bypasses mitigations for the ProxyNotShell URL rewrite flaw, allowing threat actors remote code execution (RCE) privileges on target endpoints (opens in new tab).
They dubbed the exploit OWASSRF, and explained that the attackers leveraged Remote PowerShell to abuse flaws tracked as CVE-2022-41080, and CVE-2022-41082.
Privilege excalation on Exchange servers
“It appeared that corresponding requests were made directly through the Outlook Web Application (OWA) endpoint, indicating a previously undisclosed exploit method for Exchange,” the researchers explained in a blog post (opens in new tab).
When Microsoft first discovered CVE-2022-41080, it gave it a “critical” rating, as it allowed remote privilege escalation on Exchange servers, but also added that there was no evidence of the bug being exploited in the wild. Therefore, it’s hard to determine if the flaw was being abused as a zero-day, even before the patch was available.
The patch, however, is available, and all organizations with on-prem Microsoft Exchange servers are advised to apply at least the November 2022 cumulative update to stay safe. If they are unable to apply the patch at the moment, disabling OWA is advised.
CrowdStrike believes that the attackers were using the flaw to deliver remote access tools Plink and AnyDesk, as well as the ConnectWise remote administration software.
Microsoft Exchange servers are a popular target for cybercriminals, but the company is well aware of this fact and has been deploying various solutions to try and keep its customers secure. Among other things, it announced it would be permanently turning off Exchange Online basic authentication in early January 2023.
“Beginning in early January, we will send Message Center posts to affected tenants about 7 days before we make the configuration change to permanently disable Basic auth use for protocols in scope,” the company said. “Soon after basic auth is permanently disabled, any clients or apps connecting using Basic auth to one of the affected protocols will receive a bad username/password/HTTP 401 error.”
For years now, Microsoft has been warning users that Exchange Online basic authentication will eventually be sunsetted and replaced with a more modern authentication method.
