Update 3: Threat Response – Zero-day vulnerabilities in Microsoft Exchange:

23-12-2022

A SAFE DIGITAL JOURNEY

On Friday, September 30th two zero-day vulnerabilities in the Microsoft Exchange Server 2013, 2016, and 2019 were identified [1][3]. These vulnerabilities (CVE-2022-41040, CVE-2022-41082), collectively known as ProxyNotShell were used by attackers to bypass authentication on Exchange servers and perform remote code execution. For unpatched on-premises Exchange servers, a workaround was proposed by blocking exposed Remote PowerShell ports and adding a URL-rewrite rule [1]. An official Exchange Server update was published on November 8th for both vulnerabilities.

On Tuesday, December 20th CrowdStrike identified a new exploit method called OWASSRF, consisting of CVE-2022-41080 (Privilege Elevation) and CVE-2022-41082 to achieve Remote Code Execution on an Exchange server through the OWA (Outlook Web Access) endpoint. This new method bypasses the aforementioned workarounds for unpatched Exchange servers. The OWASSRF method does not utilise the CVE-2022-41040 vulnerability for initial acces. CrowdStrike assesses it is highly likely that the OWASSRF technique is tied to CVE-2022-41080 [4]. Furthermore, the OWASSRF method was discovered in attacker tooling and produced the same behaviour as observed in recent Play ransomware intrusions [4]. Because there is a high likelihood this new method is being actively exploited, we are sending you this update.

An official Exchange Server patch for CVE-2022-41082, which was released on November 8th, renders the exploitability of the OWASSRF technique impossible.

Impact

Successful exploitation of the vulnerability CVE-2022-41080 (Privilege Elevation) could allow an already authenticated attacker to remotely execute code, exploiting CVE-2022-41082 on on-premises Exchange servers only utilising Microsofts previously published workarounds. This vulnerability is likely being actively exploited by attackers. For this reason we estimate the impact as high.

Risk

On-premises Exchange servers that were not patched and rely on the workarounds that Microsoft published [1] are still vulnerable for the OWASSRF exploit technique. Since Exchange servers are exposed to the internet, vulnerable servers can become an easy target for attackers. Additionally, targeted attacks likely tied to this technique have been observed [4]. For this reason we estimate the risk as high.

Mitigation

An official Exchange Server patch was released on November 8th (KB5019758) to address these vulnerabilities [5]. Alternatively, blocking Remote PowerShell access prevents authenticated attackers from abusing the CVE-2022-41082 [1]. Please note that the URL-rewrite workaround proposed by Microsoft for ProxyNotShell is not effective against OWASSRF.

What should you do?

Make sure that all on-premises Exchange servers receive the November 8th (KB5019758) patch. If you are unable to apply this patch immediately, Northwave recommends to disable OWA until the patch can be applied. Furthermore, ensure blocking Remote PowerShell access to prevent authenticated attackers from abusing vulnerability CVE-2022-41082 [1]. 

What will Northwave do?

For customers with EDRS based on Defender on Endpoint, Northwave will closely monitor for activity related to Web Shells in IIS servers and Exploitation of Exchange server vulnerabilities. Moreover, we will use the Northwave SOC Defender Management application to actively detect any suspicious activity indicating the exploitation of this new technique. If access to our Defender Management application is not arranged, please contact your Security Operations Manager (SOM) for instructions. For customers with EDRS based on ESET, active post-exploitation will be detected. We are also looking into additional capabilities to detect these attacks with ESET.

Furthermore for non-EDRS customers, Northwave already implemented a Microsoft Sentinel use case based on Windows Security Events to detect WebShell activity on Exchange servers. Northwave will monitor developments around this attack technique. We will reach out to you again if there are important updates, including if the threat posed by this activity increases. If you have any questions or require any additional information please reach out to us by phone or email.

E-mail: [email protected] Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909

Disclaimer applies, see below.

Sources

[1]: https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/

[2]: https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-new-exchange-zero-days-are-used-in-attacks/#:~:text=%22The%20first%20vulnerability%2C%20identified%20as,the%20attacker%2C%22%20Microsoft%20said.

[3]: https://advisories.ncsc.nl/advisory?id=NCSC-2022-0610

[4]: https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/

[5]: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41082

 

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.