- While investigating recent Play ransomware attacks, CrowdStrike Services discovered a new exploit method called OWASSRF.
- The method consists of two vulnerabilities to achieve remote code execution through Outlook Web Access.
- In the new method, after initial access, the threat actor leveraged legitimate Plink and AnyDesk executables to maintain access and performed anti-forensics techniques on the Microsoft Exchange server.
While investigating various Play ransomware intrusions, CrowdStrike Services found a new exploit method, named OWASSRF. It exploits two vulnerabilities, CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution through Outlook Web Access. The new method aims to bypass URL rewrite mitigations for the Autodiscover endpoint provided by Microsoft in response to ProxyNotShell.
OWASSRF
While investigating the log, researchers noticed that there is no evidence of exploitation of CVE-2022-41040 for initial access. Instead, they found out that the corresponding requests were made directly through the Outlook Web Application endpoint. Which indicates a previously undisclosed exploit method for Exchange.
CVE-2022-41080 has a critical rating. It allows remote privilege escalation on Exchange servers, but there were no reports of the bug being exploited in the wild. On the other hand, the vulnerability was patched in the November cumulative update. For organizations that can’t apply the patch yet, CrowdStrike advises disabling the OWA.
While CrowdStrike researchers were working on developing a proof-of-concept for the exploit method, a threat researcher outside the company discovered an attacker’s tool in an open repository, downloaded all of the tools, uploaded all of them to MegaUpload and shared them with a Twitter post. The tool includes a Python script, when executed, allowed researchers to replicate the logs generated in recent Play ransomware attacks.
Works in two steps
It works in two steps, the first one is the previously unknown OWA exploit technique. The first step provides an SSRF equivalent to the Autodiscover technique used in ProxyNotShell exploitation. The second step is simply the same exploit used in the second step of ProxyNotShell, allowing code execution through PowerShell remoting. CrowdStrike recommends,
- Organizations should apply the November 8, 2022 patches for Exchange to prevent exploitation since the URL rewrite mitigations for ProxyNotShell are not effective against this exploit method.
- If you cannot apply the KB5019758 patch immediately, you should disable OWA until the patch can be applied.
- Follow Microsoft recommendations to disable remote PowerShell for non-administrative users where possible.
- Deploy advanced endpoint detection and response (EDR) tools to all endpoints to detect web services spawning PowerShell or command line processes. CrowdStrike Falcon will detect the OWASSRF exploit method and will block the method if the prevention setting for Execution Blocking > Suspicious Processes is applied.
- Monitor Exchange servers for signs of exploitation visible in IIS and Remote PowerShell logs using this script developed by CrowdStrike Services.
- Consider application-level controls such as web application firewalls.
- Ensure the X-Forwarded-For header is configured to log true external IP addresses for requests to proxied services.