cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram

Ransomware groups bypass ProxyNotShell mitigations with new exploit

A new exploit that allows bad actors to use Outlook Web Access to remotely run code on the Microsoft Exchange Server has been discovered by security researchers at CrowdStrike.

user icon Daniel Croft
Fri, 30 Dec 2022
Ransomware groups bypass ProxyNotShell mitigations with new exploit
expand image

Dubbed Outlook Web Access Server-Side Request Forgery (OWASSRF), the method makes use of two vulnerabilities to sidestep Microsoft’s ProxyNotShell mitigations and access Exchange servers, which could now be subject to a wave of new cyber attacks.

The two flaws, being CVE-2022-41040 and CVE-2022-41082, can be triggered by an attacker to run Microsoft’s task automation and config management program Powershell, and gain the ability to run remote code.

CrowdStrike found that operators from the Play Ransomware group had been using OWASSRF to access the Microsoft Exchange Server, before attempting to mask their actions by clearing Windows Event Logs on affected backend Exchange servers.

“After initial access via this new exploit method, the threat actor leveraged legitimate Plink and AnyDesk executables to maintain access and performed anti-forensics techniques on the Microsoft Exchange server in an attempt to hide their activity,” said CrowdStrike in a press release.

CrowdStrike researchers had been working to develop proof-of-concept code to emulate the breach. While researcher Dray Agha was able to recreate the exploit method attack on Exchange systems that had not been patched against ProxyNot Shell, he was unable for patched systems.

Organisations have been recommended to disable remote PowerShell for non-admin users, to update to Microsoft’s November 2022 security updates and deploy endpoint detection and response tools.

Organisations that for any reason are unable to apply the November Microsoft patches should disable Outlook Web Access.

Comments powered by CComment

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.