Last updated at Tue, 07 Feb 2023 20:30:27 GMT
Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too.
Beginning December 20, 2022, Rapid7 has responded to an increase in the number of Microsoft Exchange server compromises. Further investigation aligned these attacks to what CrowdStrike is reporting as “OWASSRF”, a chaining of CVE-2022-41080 and CVE-2022-41082 to bypass URL rewrite mitigations that Microsoft provided for ProxyNotShell allowing for remote code execution (RCE) via privilege escalation via Outlook Web Access (OWA).
Patched servers do not appear vulnerable, servers only utilizing Microsoft’s mitigations do appear vulnerable.
Threat actors are using this to deploy ransomware.
Rapid7 recommends that organizations who have yet to install the Exchange update (KB5019758) from November 2022 should do so immediately and investigate systems for indicators of compromise. Do not rely on the rewrite mitigations for protection.
The following on-prem versions of Exchange that have not applied the November 8, 2022 KB5019758 update are vulnerable:
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
In addition to the detection rules included in InsightIDR for Rapid7 customers, other IOCs include:
- PowerShell spawned by IIS ('w3wp.exe') creating outbound network connections
Example command being spawned by IIS (w3wp.exe):
Decoded command where the highlighted string (0x2d4c8f8f) is the hex representation of the IP address 45.76.143[.]143
Rapid7 has evidence of exploitation in the wild as far back as December 1, 2022.
Customers already have coverage to assist in assessing exposure to and detecting exploitation of this threat.
InsightVM and Nexpose
InsightVM and Nexpose added checks for CVE-2022-41080 and CVE-2022-41082 on November 8, 2022.
InsightIDR customers can look for the alerting of the following rules, typically seeing several (or all) triggered on a single executed command:
- Attacker Technique - PowerShell Registry Cradle
- Suspicious Process - PowerShell System.Net.Sockets.TcpClient
- Suspicious Process - Exchange Server Spawns Process
- PowerShell - Obfuscated Script
- Webshell - IIS Spawns PowerShell
Additional detections currently being observed with follow-on activity in these compromises include:
- Attacker Technique - Plink Redirecting RDP
- Attacker Technique - Renamed Plink
- Suspicious Process - Started From Users Music Directory
Managed Detection & Response customers
Your customer advisor will reach out to you right away if any suspicious activity is observed in your organization.
Eoin Miller contributed to this article.
12/21/22 4PM ET: Updated IOC with EITW information.