The exploit allows threat actors to bypass ProxyNotShell URL rewrite mitigations and gain remote code execution (RCE) on vulnerable servers through Outlook Web Access (OWA). To execute arbitrary commands on compromised servers, the ransomware operators leverage Remote PowerShell to abuse the CVE-2022-41082 vulnerability. This new exploit chain is particularly concerning because it targets the Microsoft Exchange server, a critical component for many organizations. This server manages email communications within an organization, and a compromise of this server can have far-reaching consequences. Using the OWASSRF exploit chain, the threat actors behind Play ransomware can infiltrate the victim’s network through the Exchange server, potentially allowing them to gain access to sensitive data and disrupt operations.
How can organizations protect themselves from the OWASSRF exploit chain?
Microsoft rated the CVE-2022-41082 vulnerability as “critical” because it allowed for remote privilege escalation on exchange servers. The company also stated that they had no evidence of the bug being exploited in the wild. Therefore, it was difficult to determine if anyone had been exploiting the flaw as a zero-day before the patch became available. To protect against the OWASSRF exploit chain, Microsoft has advised organizations with on-premises Exchange servers to apply at least the November 2022 cumulative update. If this isn’t possible, they recommend disabling OWA as a precautionary measure. Additionally, Microsoft will permanently disable Exchange Online basic authentication in early January 2023 to protect its customers. “Beginning in early January, we will send Message Center posts to affected tenants about 7 days before we make the configuration change to disable Basic auth use for protocols in scope,” the company said.
