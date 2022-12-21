A new Microsoft Exchange flaw is being used to attack servers and deliver remote access tools and remote management software, researchers have revealed.

Cybersecurity experts at CrowdStrike stumbled upon a new exploit chain while investigating an attack involving Play ransomware. After further analysis, it was concluded that the exploit chain bypasses the mitigations for the ProxyNotShell URL rewrite flaw, granting threat actors Remote Code Execution (RCE) privileges on target endpoints (opens in new tab).

Calling the exploit OWASSRF, they explained that the attackers used Remote PowerShell to exploit flaws identified as CVE-2022-41080 and CVE-2022-41082.

Privilege extension on Exchange servers

“It was found that corresponding requests were made directly through the Outlook Web Application (OWA) endpoint, suggesting a previously undisclosed exploit method for Exchange,” the researchers explained in a statement. blog post (opens in new tab).

When Microsoft first discovered CVE-2022-41080, it gave it a “critical” rating because it enabled remote privilege escalation on Exchange servers, but also added that there was no evidence that the bug was in the game was exploited. Therefore, it is difficult to determine whether the flaw was exploited as a zero-day even before the patch was available.

However, the patch is available and all organizations with on-premises Microsoft Exchange servers are advised to apply at least the November 2022 Cumulative Update to stay safe. If they are unable to apply the patch at this time, it is advised to disable OWA.

CrowdStrike believes the attackers used the flaw to provide Plink and AnyDesk remote access tools, as well as the ConnectWise remote management software.

Microsoft Exchange servers are a popular target for cybercriminals, but the company is well aware of this and has implemented several solutions to try and keep its customers safe. Among other things, it announced that it would permanently disable Exchange Online’s basic authentication in early January 2023.

“Starting in early January, approximately 7 days before we make the configuration change, we will be sending Message Center messages to affected tenants to permanently disable the use of basic authentication for protocols in the scope,” the company said. “Shortly after basic authentication is permanently disabled, any client or app that connects using basic authentication using any of the affected protocols will receive a bad username/password/HTTP 401 error.”

For years, Microsoft has been warning users that Exchange Online’s basic authentication will eventually be discontinued and replaced with a more modern authentication method.