The operators of a ransomware pressure referred to as Play have developed a brand new exploit chain for a vital distant code execution (RCE) vulnerability in Change Server that Microsoft patched in November.
The brand new methodology bypasses mitigations that Microsoft had offered for the exploit chain, that means organizations which have solely applied these however have not but utilized the patch for it want to take action instantly.
The RCE vulnerability at problem (CVE-2022-41082) is considered one of two so-called “ProxyNotShell” flaws in Change Server variations 2013, 2016, and 2019 that Vietnamese safety firm GTSC publicly disclosed in November after observing a risk actor exploiting them. The opposite ProxyNotShell flaw, tracked as CVE-2022-41040, is a server-side request forgery (SSRF) bug that provides attackers a option to elevate privileges on a compromised system.
Within the assault that GTSC reported, the risk actor utilized the CVE-2022-41040 SSRF vulnerability to entry the Distant PowerShell service and used it to set off the RCE flaw on affected techniques. In response, Microsoft beneficial that organizations apply a blocking rule to stop attackers from accessing the PowerShell distant service by means of the Autodiscover endpoint on affected techniques. The corporate claimed — and safety researchers agreed — that the blocking rule would assist forestall identified exploit patterns in opposition to the ProxyNotShell vulnerabilities.
Novel New Exploit Chain
This week, nevertheless, researchers at CrowdStrike stated that they had noticed the risk actors behind Play ransomware use a brand new methodology to take advantage of CVE-2022-41082 that bypasses Microsoft’s mitigation measure for ProxyNotShell.
The strategy entails the attacker exploiting one other — and little-known — SSRF bug in Change server tracked as CVE-2022-41080 to entry the PowerShell distant service through the Outlook Internet Entry (OWA) entrance finish, as a substitute of the Autodiscover endpoint. Microsoft has assigned the bug the identical severity score (8.8) because it has for the SSRF bug within the authentic ProxyNotShell exploit chain.
CVE-2020-41080 permits attackers to entry the PowerShell distant service and use it to take advantage of CVE-2022-41082 in precisely the identical approach as they might when utilizing CVE-2022-41040, CrowdStrike stated. The safety vendor described the Play ransomware group’s new exploit chain as a “beforehand undocumented option to attain the PowerShell remoting service by means of the OWA frontend endpoint, as a substitute of leveraging the Autodiscover endpoint.”
As a result of Microsoft’s ProxyNotShell mitigation solely blocks requests made to the Autodiscover endpoint on Microsoft Change server, requests to entry the PowerShell distant service through the OWA entrance finish is not going to be blocked, the safety vendor defined.
CrowdStrike has christened the brand new exploit chain involving CVE-2022-41080 and CVE-2022-41082 as “OWASSRF.”
Patch Now or Disable OWA
“Organizations ought to apply the Nov. 8, 2022, patches for Change to stop exploitation because the URL rewrite mitigations for ProxyNotShell are usually not efficient in opposition to this exploit methodology,” CrowdStrike warned. “For those who can’t apply the KB5019758 patch instantly, you must disable OWA till the patch could be utilized.”
Microsoft didn’t reply instantly to a request for remark.
CrowdStrike stated it found the brand new exploit chain when investigating a number of latest Play ransomware intrusions the place the preliminary entry vector was through a Microsoft Change Server vulnerability. The researchers rapidly discovered that Play ransomware attackers had exploited the ProxyNotShell RCE vulnerability (CVE-2022-41082) to drop official payloads for sustaining entry and performing anti-forensics methods on compromised Microsoft Change Servers.
Nevertheless, there was no signal that that they had used CVE-2022-41040 as a part of the exploit chain. CrowdStrike’s additional investigation confirmed that the attackers had used CVE-2022-41080 as a substitute.
The safety vendor’s suggestions to organizations for decreasing their publicity to the brand new risk contains disabling distant PowerShell for nonadministrative customers the place potential and utilizing EDR instruments to detect Internet providers spawning PowerShell processes. The corporate has additionally offered a script that directors can use to watch Change servers for indicators of exploitation.
