Play ransomware actors bypass ProxyNotShell mitigations

Play ransomware actors are using a new exploit method to bypass Microsoft's ProxyNotShell mitigations and gain initial access to Exchange servers, according to new research from CrowdStrike.

ProxyNotShell consists of two Microsoft Exchange Server vulnerabilities that were exploited in the wild prior to public disclosure in September. Attackers chained a server-side-request forgery (SSRF) flaw, tracked as CVE-2022-41040, and a remote code execution vulnerability that was assigned CVE-2022-41802 to gain access to users' systems.

While Microsoft released URL rewrite mitigations for the Autodiscover endpoint in response to ProxyNotShell, Play ransomware actors found a workaround. Now Exchange may be at the center of another potentially significant wave of attacks.

Brian Pitchford, CrowdStrike incident response consultant; Erik Iker, incident response services manager; and security researcher Nicolas Zilio detailed the new risk to enterprises in a blog post Tuesday. The research showed how operators behind Play ransomware leveraged CVE-2022-41080 with one of the ProxyNotShell flaws, CVE-2022-41082, to achieve remote code execution through Outlook Web Access (OWA). CrowdStrike calls the exploit method "OWASSRF."

"The discovery was part of recent CrowdStrike Services investigations into several Play ransomware intrusions where the common entry vector was confirmed to be Microsoft Exchange," Pitchford, Ilker and Zilio wrote in the blog post. "After initial access via this new exploit method, the threat actor leveraged legitimate Plink and AnyDesk executables to maintain access, and performed anti-forensics techniques on the Microsoft Exchange server in an attempt to hide their activity."

Microsoft's vulnerability guide classifies CVE-2022-41080 as a Microsoft Exchange Server elevation of privilege flaw that requires low attack complexity with no user interaction. Because CVE-2022-41080 shares the same common vulnerability scoring system rating with CVE-2022-41040 and was marked "exploited more likely" by Microsoft, CrowdStrike assessed with high likeliness that the new technique was tied to the flaw.

Subsequently, CrowdStrike confirmed that CVE-2022-41080 was not exploited to gain initial access but was used in conjunction with the ProxyNotShell flaw to bypass Microsoft's mitigations. Essentially, the new tactic eliminates the need to use the Autodiscover endpoint to reach the PowerShell remoting service. When addressing ProxyNotShell in September, Microsoft confirmed successful attacks required PowerShell access.

"Instead, it appeared that corresponding requests were made directly through the Outlook Web Application (OWA) endpoint, indicating a previously undisclosed exploit method for Exchange," the blog read.

The researchers said CrowdStrike Services has investigated "several Play ransomware intrusions" where the OWASSRF exploit technique was used, though it's unclear how many attacks have been committed so far. CrowdStrike told TechTarget Editorial it is unable to disclose the exact number.

In a blog post published on Wednesday, Rapid7 said it has "responded to an increase in the number of Microsoft Exchange server compromises" connected to the OWASSRF method. Rapid7 urged users to install the latest Exchange update immediately and warned them not to rely on the Microsoft rewrite mitigation, noting that patched servers do not appear to be vulnerable.

After testing patched and unpatched systems, CrowdStrike urged organizations to apply the November 8 Patch Tuesday fix, named KB5019758, for Exchange systems to prevent exploitation. If organizations are unable to patch immediately, the vendor recommended disabling OWA entirely.

Attacks against Microsoft Exchange Server have grown in frequency over the last year as vulnerabilities were exploited by threat actors and the Chinese nation-state group known as Hafnium, prior to public disclosure in several instances.

Earlier this month, Rackspace, a cloud hosting provider, confirmed it suffered a ransomware attack on Dec. 2 that caused disruptions for its hosted Microsoft Exchange services. In an update posted to its website on Dec. 9, Rackspace said it engaged CrowdStrike's incident response team immediately following the attack. CrowdStrike's investigation confirmed the incident was "limited solely to the Hosted Exchange Email business."

While Rackspace confirmed the ransomware incident, the cloud provider has not commented on other details of the attack, including the initial vector, the type of ransomware and whether a ransom was paid.