Show threadDavid KrauseJan 7, 2023
I reported some #OWASSRF #ProxyNotShell via #HackerOne because I wanted to alert those companies that they hadn’t patched their Exchange Server, not because I necessarily wanted a bounty. But these programs require that you obtain RCE proof otherwise they are closed out. I’m not going to do that because Exchange Server is typically not in scope which would be illegal to do. I also don’t want to step on any webshells that may have already been deployed by other attackers.
Unveiled SecurityJan 6, 2023

On Dec 22, 2022, Unit42 released a threat brief on the new OWASSRF exploit method for Microsoft Exchange Server published by CrowdStrike

Threat Brief: OWASSRF Vulnerability Exploitation

https://unit42.paloaltonetworks.com/threat-brief-owassrf/

#OWASSRF #ProxyNotShell #Cybersecurity #CyberThreatIntelligence

Threat Brief: OWASSRF Vulnerability Exploitation

We analyze the new exploit method for Microsoft Exchange Server, OWASSRF, noting that all exploit attempts we've observed use the same PowerShell backdoor, which we track as SilverArrow. Read the details and learn how to mitigate.

Unit 42
Show threadkantorkelJan 5, 2023

Wie die #HAW #Hamburg geransomwared wurde? Vielleicht so:

haw-mailer.haw-hamburg.de (15.11.2022)

Found Exchange server:
Build: 15.1.2507.13
Version: 2016CU23+KB5019077
Build date: 10/2022
Affected by CVE-2022-41040
Affected by CVE-2022-41082
Affected by CVE-2022-41078
Affected by CVE-2022-41123
Affected by CVE-2022-41079
Affected by CVE-2022-41080

[via @leakix] #OWASSRF #ProxyNotShell

Julian-Ferdinand VögeleDec 29, 2022
Write up by Huntress that observed a significant increase in malicious PowerShell executions delivering a ConnectWise Control (ScreenConnect) payload on unpatched Exchange hosts using the exploit chain consisting of CVE-2022-41080 and CVE-2022-41082 (dubbed #OWASSRF by Crowdstrike, as it involves an Outlook Web Access SSRF) (including #IOCs and possible detections): https://www.huntress.com/blog/owassrf-explained-analyzing-the-microsoft-exchange-rce-vulnerability?hs_amp=true
OWASSRF Explained: Analyzing the Microsoft Exchange RCE Vulnerability

Huntress' analysis of a new exploit chain (called OWASSRF) that can lead to critical remote code execution on unpatched Exchange hosts.

Lysa MyersDec 28, 2022
We have observed exploitation attempts for a new exploit method for Microsoft Exchange Server, #OWASSRF. In all the attempts we observed, threat actors used a PowerShell backdoor, which we track as #SilverArrow.
bit.ly/3WnFbQe
Patrick SchmidtDec 23, 2022

 "CrowdStrike identified a new #exploit method called #OWASSRF, consisting of CVE-2022-41080 (Privilege Elevation) and CVE-2022-41082 to achieve Remote Code Execution on an #Exchange server through the OWA endpoint. [...]
Make sure that all on-premises Exchange servers receive the November 8th (KB5019758) patch. If you are unable to apply this patch immediately, Northwave recommends to disable OWA."

#microsoft #Windows #security

https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/

OWASSRF: CrowdStrike Identifies New Method for Bypassing ProxyNotShell Mitigations

Learn how CrowdStrike recently discovered a new exploit method using CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution (RCE) through Outlook Web Access.

crowdstrike.com
SOC PrimeDec 22, 2022

Are you detecting #OWASSRF chaining CVE-2022-41080 and CVE-2022-41082 to bypass ProxyNotShell mitigations and perform RCE on Exchange?

We have a batch of Sigma rules with translations to 25+ SIEM, EDR, XDR platforms alongside CTI links and ATT&CK references at hand.

https://socprime.com/rs/search-result?search=OWASSRF

Also, a short overview of the exploit chain is available in our blog: https://socprime.com/blog/owassrf-exploit-detection-new-exploit-method-abuses-exchange-servers-to-bypass-proxynotshell-cve-2022-41040-and-cve-2022-41082-mitigations-and-gain-rce/

Sigma Rules Search Engine for Threat Detection, Threat Hunting, and CTI

Gain instant access to MITRE ATT&CK context, hunting & detection guidance, and relevant Sigma rules easily convertible into 25+ SIEM, XDR, and EDR formats.

SOC Prime
Taylor ParizoDec 22, 2022

CrowdStrike published a #PowerShell script for CVE-2022-41080 #OWASSRF that assumes the column headers for the Rpc_Http logs have not been modified from their original order/format.

This is also a useful way to learn PowerShell. Short script, different variable types, formatting and filtering data. Good reference to follow.

https://github.com/CrowdStrike/OWASSRF

GitHub - CrowdStrike/OWASSRF

Contribute to CrowdStrike/OWASSRF development by creating an account on GitHub.

GitHub
Zeljka ZorzDec 21, 2022

Ransomware-wielding attackers are using a new exploit chain that includes one of the ProxyNotShell vulnerabilities (CVE-2022-41082) to achieve remote code execution on Microsoft Exchange servers.

The ProxyNotShell exploit chain used CVE-2022-41040, a SSRF vulnerability in the Autodiscover endpoint of Microsoft Exchange, while this new one uses CVE-2022-41080 to achieve privilege escalation through Outlook Web Access (OWA).

https://www.helpnetsecurity.com/2022/12/21/cve-2022-41080/

#Microsoft #Exchange #OWASSRF #vulnerability #exploit #Cybersecurity

New Microsoft Exchange exploit chain lets ransomware attackers in (CVE-2022-41080) - Help Net Security

The ProxyNotShell exploit chain used CVE-2022-41040 while this new one uses CVE-2022-41080 to achieve privilege escalation through OWA.

Help Net Security
J. R. DePriest    :EA DATA. SF:Dec 21, 2022
#OWASSRF #exchange #proxynotshell #infosec
OWASSRF: CrowdStrike Identifies New Method for Bypassing ProxyNotShell Mitigations
OWASSRF: CrowdStrike Identifies New Method for Bypassing ProxyNotShell Mitigations

Learn how CrowdStrike recently discovered a new exploit method using CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution (RCE) through Outlook Web Access.

crowdstrike.com