Dive Brief:
- CrowdStrike researchers discovered a new exploit method by Play ransomware actors that can bypass URL rewrite mitigations released by Microsoft in October, according to a Tuesday blog post from the incident response firm. Microsoft's updates were designed to mitigate ProxyNotShell vulnerabilities.
- Crowdstrike researchers discovered the new method while investigating Play ransomware activity. The entry vector was suspected to be zero-day vulnerabilities CVE-2022-41080 and CVE-2022-41082, according to the blog.
- While investigating the attacks, researchers found threat actors entered through Outlook Web Access (OWA) and leveraged Plink and AnyDesk in order to maintain access.
Dive Insight:
In traditional ProxyNotShell exploits the Autodiscover endpoint is accessed through an authenticated request on the front end, according to CrowdStrike. A path confusion exploit, CVE-2022-41040, allows the attackers to reach the backend for arbitrary URLs, a vulnerability called a server side request forgery.
In ProxyNotShell the Remote PowerShell is the targeted backend service, according to CrowdStrike. After the PowerShell remoting service is reached, CVE-2022-41082 is exploited to execute arbitrary commands.
Incident responders at CrowdStrike found Remote PowerShell logs that were similar to ProxyNotShell log entries. However, in this case they found the PowerShell remoting service was reached through the OWA frontend endpoint, rather than leveraging the Autodiscover endpoint, according to the blog.
Researchers at Trend Micro noted in September that Play ransomware was connected to threat activity in Latin America. The threat actor utilized similar tactics to Hive and Nokoyawa ransomware.
The ProxyNotShell zero days were initially discovered by a Vietnam-based firm this summer and Microsoft provided a number of mitigation steps during the month of October while it worked on a patch. Researchers repeatedly called out Microsoft as bypass methods were found to work against a number of the steps.
Microsoft issued a patch in early November after a couple of attacks were connected to the vulnerabilities, including activity by a state-linked threat actor.
“The reported method exploits vulnerable systems that have not applied our latest security updates,” a spokesperson for Microsoft said Wednesday via email.
The spokesperson said customers should prioritize the Exchange Server updates released in November.
Many organizations have failed to apply the Nov. 8 security updates released by Microsoft, possibly because they believed they could rest on making suggested mitigations, according to Glenn Thorpe, program manager, emergent threat response at Rapid7.
“While the mitigations did buy organizations some more time to patch, it appears that extended time is over as the servers strictly relying on the previously recommended mitigations are the ones now vulnerable to attack,” Thorpe said via email.