The Play ransomware group, which has been active since about June, has been using a previously unseen method to exploit the two ProxyNotShell vulnerabilities in Microsoft Exchange to gain initial access to target environments in some recent intrusions.
The exploitation method is similar to previously known methods, but rather than targeting the AutoDiscover endpoint, it goes through the Outlook Web Application frontend to reach the Powershell remoting service in Exchange. Researchers at CrowdStrike discovered the exploitation method during the investigations into a couple of recent Play ransomware incidents and initially thought that the attackers had used known exploits for the ProxyNotShell bugs (CVE-2022-41080 and CVE-2022-41082), but discovered after further investigation that the actors had used a previously unknown method.
“In each case, CrowdStrike reviewed the relevant logs and determined there was no evidence of exploitation of CVE-2022-41040 for initial access. Instead, it appeared that corresponding requests were made directly through the Outlook Web Application (OWA) endpoint, indicating a previously undisclosed exploit method for Exchange,” CrowdStrike researchers said in a post detailing the newly documented method that they named OWASSRF.
Microsoft released patches for the two ProxyNotShell vulnerabilities in November and those fixes protect against the previously known exploit methods as well as the new one that CrowdStrike documented. However, the newer method does bypass some exploit mitigations that Microsoft released in September before patches were available.
The ProxyNotShell vulnerabilities first surfaced in September when researchers at Vietnamese security firm GTSC Cyber Security discovered exploitation of the previously unknown bugs and published some details. Other researchers soon began digging into the flaws and found that attackers were installing webshells on compromised servers for persistence. Microsoft investigated the bugs as well, and issued initial guidance that included adding a custom URL rewrite rule in the IIS web server, but the new method that CrowdStrike found is able to bypass that mitigation by not targeting the AutoDiscover endpoint in Exchange.
In the incidents that CrowdStrike investigated, the Play ransomware actors renamed two legitimate executables, Plink and AnyDesk, and used those for persistent access.
“CrowdStrike incident responders found that renamed Plink and AnyDesk executable creation timestamps on affected backend Exchange servers were closely correlated with PowerShell execution events in the Remote PowerShell logs, indicating the threat actor leveraged the newly discovered exploit chain to drop other tooling for persistent access to the affected Exchange servers,” the CrowdStrike report says.
The Play ransomware group is a newer entrant on the scene and shares some tactics and tools with other ransomware groups, notably the Hive group.
Soon after the CrowdStrike researchers discovered the new exploitation method, another researcher came across a collection of tooling used by an attacker to exploit the bugs and posted it online. This allowed the CrowdStrike researchers to recreate the method the Play group had used.
“The code works in two steps. The first step is the previously unknown OWA exploit technique. This first step provides a SSRF equivalent to the Autodiscover technique used in ProxyNotShell exploitation. The second step is simply the same exploit used in the second step of ProxyNotShell, allowing code execution through PowerShell remoting,” the researchers said.
“CrowdStrike researchers replicated the exploit method attack on Exchange systems that had not received the November 8, 2022 patch KB5019758, but could not replicate the attack on systems that had received that patch.”
Rapid7 researchers also have seen attackers using this exploitation method.