Researchers have revealed that a new vulnerability in Microsoft Exchange is being used to attack servers and deliver remote access tools and remote administration software.
CrowdStrike cybersecurity experts stumbled upon a new exploit chain while investigating a Play ransomware attack. Upon further analysis, the exploit chain was found to bypass the ProxyNotShell URL Rewrite Mitigation, allowing cybercriminals to have Remote Code Execution (RCE) privileges on targeted endpoints (opens in a new tab).
They named the exploit OWASSRF and explained that the attackers used Remote PowerShell to abuse vulnerabilities tracked as CVE-2022-41080 and CVE-2022-41082.
Privilege escalation on Exchange servers
“It turned out that the relevant requests were made directly through the Outlook Web Application (OWA) endpoint, indicating a previously undisclosed method of exploiting vulnerabilities in Exchange,” the researchers explained in the paper. blog post (opens in a new tab).
When Microsoft first discovered CVE-2022-41080, it rated it “critical” because it allowed remote privilege escalation on Exchange servers, but also added that there was no evidence that the vulnerability was exploited in the wild. Therefore, it is difficult to determine if the vulnerability was abused as day zero even before a patch was available.
However, a fix is available, and all organizations with on-premises Microsoft Exchange servers are recommended to apply at least the November 2022 Cumulative Update to stay secure. If they cannot apply the patch at this time, it is recommended that you disable OWA.
CrowdStrike believes attackers exploited this vulnerability to deliver Plink and AnyDesk remote access tools, as well as ConnectWise remote administration software.
Microsoft Exchange servers are a popular target for cybercriminals, but the company is well aware of this and implements various solutions to ensure the security of its customers. Among other things, it announced that it will permanently disable Exchange Online Basic Authentication in early January 2023.
“In early January, we will be sending Message Center posts to affected tenants approximately 7 days before making a configuration change to permanently disable basic authentication for scoped protocols,” the company said. “Shortly after you permanently disable Basic Authentication, all clients or applications that connect using Basic Authentication to one of the affected protocols will receive an Invalid Username/Password/HTTP 401 error.”
For years, Microsoft has been warning users that Exchange Online’s basic authentication will eventually be phased out and replaced with a more modern authentication method.