Headline
Ransomware Attackers Bypass Microsoft's ProxyNotShell Mitigations With Fresh Exploit
The Play ransomware group was spotted exploiting another little-known SSRF bug to trigger RCE on affected Exchange servers.
The operators of a ransomware strain called Play have developed a new exploit chain for a critical remote code execution (RCE) vulnerability in Exchange Server that Microsoft patched in November.
The new method bypasses mitigations that Microsoft had provided for the exploit chain, meaning organizations that have only implemented those but have not yet applied the patch for it need to do so immediately.
The RCE vulnerability at issue (CVE-2022-41082) is one of two so-called “ProxyNotShell” flaws in Exchange Server versions 2013, 2016, and 2019 that Vietnamese security company GTSC publicly disclosed in November after observing a threat actor exploiting them. The other ProxyNotShell flaw, tracked as CVE-2022-41040, is a server-side request forgery (SSRF) bug that gives attackers a way to elevate privileges on a compromised system.
In the attack that GTSC reported, the threat actor utilized the CVE-2022-41040 SSRF vulnerability to access the Remote PowerShell service and used it to trigger the RCE flaw on affected systems. In response, Microsoft recommended that organizations apply a blocking rule to prevent attackers from accessing the PowerShell remote service through the Autodiscover endpoint on affected systems. The company claimed — and security researchers agreed — that the blocking rule would help prevent known exploit patterns against the ProxyNotShell vulnerabilities.
Novel New Exploit Chain
This week, however, researchers at CrowdStrike said they had observed the threat actors behind Play ransomware use a new method to exploit CVE-2022-41082 that bypasses Microsoft’s mitigation measure for ProxyNotShell.
The method involves the attacker exploiting another — and little-known — SSRF bug in Exchange server tracked as CVE-2022-41080 to access the PowerShell remote service via the Outlook Web Access (OWA) front end, instead of the Autodiscover endpoint. Microsoft has assigned the bug the same severity rating (8.8) as it has for the SSRF bug in the original ProxyNotShell exploit chain.
CVE-2020-41080 allows attackers to access the PowerShell remote service and use it to exploit CVE-2022-41082 in exactly the same way as they could when using CVE-2022-41040, CrowdStrike said. The security vendor described the Play ransomware group’s new exploit chain as a “previously undocumented way to reach the PowerShell remoting service through the OWA frontend endpoint, instead of leveraging the Autodiscover endpoint.”
Because Microsoft’s ProxyNotShell mitigation only blocks requests made to the Autodiscover endpoint on Microsoft Exchange server, requests to access the PowerShell remote service via the OWA front end will not be blocked, the security vendor explained.
CrowdStrike has christened the new exploit chain involving CVE-2022-41080 and CVE-2022-41082 as “OWASSRF.”
Patch Now or Disable OWA
“Organizations should apply the Nov. 8, 2022, patches for Exchange to prevent exploitation since the URL rewrite mitigations for ProxyNotShell are not effective against this exploit method,” CrowdStrike warned. “If you cannot apply the KB5019758 patch immediately, you should disable OWA until the patch can be applied.”
Microsoft did not respond immediately to a request for comment.
CrowdStrike said it discovered the new exploit chain when investigating several recent Play ransomware intrusions where the initial access vector was via a Microsoft Exchange Server vulnerability. The researchers quickly found that Play ransomware attackers had exploited the ProxyNotShell RCE vulnerability (CVE-2022-41082) to drop legitimate payloads for maintaining access and performing anti-forensics techniques on compromised Microsoft Exchange Servers.
However, there was no sign that they had used CVE-2022-41040 as part of the exploit chain. CrowdStrike’s further investigation showed that the attackers had used CVE-2022-41080 instead.
The security vendor’s recommendations to organizations for reducing their exposure to the new threat includes disabling remote PowerShell for nonadministrative users where possible and using EDR tools to detect Web services spawning PowerShell processes. The company has also provided a script that administrators can use to monitor Exchange servers for signs of exploitation.
Related news
The threat actors behind the Play ransomware are estimated to have impacted approximately 300 entities as of October 2023, according to a new joint cybersecurity advisory from Australia and the U.S. "Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data and have impacted a wide range of businesses and critical infrastructure organizations in North
The June 2023 Patch Tuesday security update included fixes for a bypass for two previously addressed issues in Microsoft Exchange and a critical elevation of privilege flaw in SharePoint Server.
A predictable patch cadence is nice, but the software giant can do more.
Categories: Threat Intelligence Our Threat Intelligence team looks at known ransomware attacks by gang, country, and industry sector in December 2022, and looks at why LockBit had to make a public apology (Read more...) The post Ransomware in December 2022 appeared first on Malwarebytes Labs.
By Waqas Cybercriminals are leveraging two exploit chains (ProxyNotShell/OWASSRF) to target Microsoft Exchange servers, as warned by Bitdefender Labs. This is a post from HackRead.com Read the original post: New Wave of Cyberattacks Targeting MS Exchange Servers
The first Patch Tuesday fixes shipped by Microsoft for 2023 have addressed a total of 98 security flaws, including one bug that the company said is being actively exploited in the wild. 11 of the 98 issues are rated Critical and 87 are rated Important in severity, with the vulnerabilities also listed as publicly known at the time of release. Separately, the Windows maker is expected to release
Organizations often defer patching because of business disruption fears — but that didn't work out very well for Rackspace's Hosted Exchange service.
Cloud services provider Rackspace on Thursday confirmed that the ransomware gang known as Play was responsible for last month's breach. The security incident, which took place on December 2, 2022, leveraged a previously unknown security exploit to gain initial access to the Rackspace Hosted Exchange email environment. "This zero-day exploit is associated with CVE-2022-41080," the Texas-based
The hosting services provider shared new details on the breach that took down its Hosted Exchange Email service.
The hosting provider had not applied Microsoft's new patch due to publicly reported issues with the update.
Threat actors affiliated with a ransomware strain known as Play are leveraging a never-before-seen exploit chain that bypasses blocking rules for ProxyNotShell flaws in Microsoft Exchange Server to achieve remote code execution (RCE) through Outlook Web Access (OWA). "The new exploit method bypasses URL rewrite mitigations for the Autodiscover endpoint," CrowdStrike researchers Brian Pitchford,
Categories: News Categories: Ransomware Tags: Rackspace Tags: Exchange Tags: ransomware Tags: ProxyNotShell Rackspace said a ransomware incident affected its Hosted Exchange environment and caused service disruptions. (Read more...) The post Rackspace confirms it suffered a ransomware attack appeared first on Malwarebytes Labs.
Categories: News Categories: Ransomware Tags: Rackspace Tags: Exchange Tags: ransomware Tags: ProxyNotShell Rackspace said a ransomware incident affected its Hosted Exchange environment and caused service disruptions. (Read more...) The post Rackspace confirms it suffered a ransomware attack appeared first on Malwarebytes Labs.
Hello everyone! This episode will be about Microsoft Patch Tuesday for November 2022, including vulnerabilities that were added between October and November Patch Tuesdays. As usual, I use my open source Vulristics project to create the report. Alternative video link (for Russia): https://vk.com/video-149273431_456239107 The most important news of this Patch Tuesday was a release of patches […]
Microsoft Exchange Server Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-41123.
By Deeba Ahmed Microsoft has urged Windows Administrators to install the updates urgently so make sure you have the latest patches installed! This is a post from HackRead.com Read the original post: Microsoft Issues Patches to Fix 6 Active 0-Day Windows Vulnerabilities
Microsoft's latest round of monthly security updates has been released with fixes for 68 vulnerabilities spanning its software portfolio, including patches for six actively exploited zero-days. 12 of the issues are rated Critical, two are rated High, and 55 are rated Important in severity. This also includes the weaknesses that were closed out by OpenSSL the previous week. Also separately
Let's face it: Having “2022 election” in the headline above is probably the only reason anyone might read this story today. Still, while most of us here in the United States are anxiously awaiting the results of how well we've patched our Democracy, it seems fitting that Microsoft Corp. today released gobs of security patches for its ubiquitous Windows operating systems. November's patch batch includes fixes for a whopping six zero-day security vulnerabilities that miscreants and malware are already exploiting in the wild.
Microsoft released its monthly security update on Tuesday, disclosing 62 vulnerabilities. Of these vulnerabilities, 8 are classified as “Critical” and the rest are classified as “Important.”
Hello everyone! This episode will be about Microsoft Patch Tuesday for October 2022, including vulnerabilities that were added between September and October Patch Tuesdays. As usual, I use my open source Vulristics project to create the report. All vulnerabilities: 105Urgent: 2Critical: 1High: 29Medium: 71Low: 2 Let’s take a look at the most interesting vulnerabilities: Two […]
Hello everyone! This episode will be about Microsoft Patch Tuesday for October 2022, including vulnerabilities that were added between September and October Patch Tuesdays. As usual, I use my open source Vulristics project to create the report. All vulnerabilities: 105Urgent: 2Critical: 1High: 29Medium: 71Low: 2 Let’s take a look at the most interesting vulnerabilities: Two […]
The computing giant didn't fix ProxyNotLogon in October's Patch Tuesday, but it disclosed a rare 10-out-of-10 bug and patched two other zero-days, including one being exploited.
The computing giant didn't fix ProxyNotLogon in October's Patch Tuesday, but it disclosed a rare 10-out-of-10 bug and patched two other zero-days, including one being exploited.
Any time we welcome this software and hardware into our homes and on our devices, it’s worth considering what sacrifices we might be making elsewhere.
Any time we welcome this software and hardware into our homes and on our devices, it’s worth considering what sacrifices we might be making elsewhere.
Microsoft has revised its mitigation measures for the newly disclosed and actively exploited zero-day flaws in Exchange Server after it was found that they could be trivially bypassed. The two vulnerabilities, tracked as CVE-2022-41040 and CVE-2022-41082, have been codenamed ProxyNotShell due to similarities to another set of flaws called ProxyShell, which the tech giant resolved last year.
Microsoft has revised its mitigation measures for the newly disclosed and actively exploited zero-day flaws in Exchange Server after it was found that they could be trivially bypassed. The two vulnerabilities, tracked as CVE-2022-41040 and CVE-2022-41082, have been codenamed ProxyNotShell due to similarities to another set of flaws called ProxyShell, which the tech giant resolved last year.
‘ProxyNotShell’ abuse less severe than 2021 attack wave due to authentication requirement
‘ProxyNotShell’ abuse less severe than 2021 attack wave due to authentication requirement
Microsoft Corp. is investigating reports that attackers are exploiting two previously unknown vulnerabilities in Exchange Server, a technology many organizations rely on to send and receive email. Microsoft says it is expediting work on software patches to plug the security holes. In the meantime, it is urging a subset of Exchange customers to enable a setting that could help mitigate ongoing attacks.
Microsoft Corp. is investigating reports that attackers are exploiting two previously unknown vulnerabilities in Exchange Server, a technology many organizations rely on to send and receive email. Microsoft says it is expediting work on software patches to plug the security holes. In the meantime, it is urging a subset of Exchange customers to enable a setting that could help mitigate ongoing attacks.
Categories: Exploits and vulnerabilities Categories: News Tags: Exchange Tags: ProxyShell Tags: remote PowerShell Tags: web shell Tags: CVE-2022-41040 Tags: CVE-2022-41082 Tags: SSRF Tags: RCE Two ProxyShell-like vulnerabilities are being used to exploit Microsoft Exchange Servers (Read more...) The post Two new Exchange Server zero-days in the wild appeared first on Malwarebytes Labs.
Categories: Exploits and vulnerabilities Categories: News Tags: Exchange Tags: ProxyShell Tags: remote PowerShell Tags: web shell Tags: CVE-2022-41040 Tags: CVE-2022-41082 Tags: SSRF Tags: RCE Two ProxyShell-like vulnerabilities are being used to exploit Microsoft Exchange Servers (Read more...) The post Two new Exchange Server zero-days in the wild appeared first on Malwarebytes Labs.
Microsoft officially disclosed it investigating two zero-day security vulnerabilities impacting Exchange Server 2013, 2016, and 2019 following reports of in-the-wild exploitation. "The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is
Microsoft officially disclosed it investigating two zero-day security vulnerabilities impacting Exchange Server 2013, 2016, and 2019 following reports of in-the-wild exploitation. "The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is
Summary Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker. At this time, Microsoft is aware of limited … Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server Read More »
Summary Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker. At this time, Microsoft is aware of limited … Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server Read More »