Researchers from Bitdefender Labs have observed a growing number of attacks since late November using ProxyNotShell/OWASSRF exploit chains aimed at on-premises Microsoft Exchange Server deployments.
CrowdStrike previously disclosed Play ransomware was using those techniques after investigating similar attacks using server-side request forgery techniques. Threat actors used the attack method to get around URL rewrite mitigations previously released by Microsoft and seen during the ransomware attack against Rackspace.
Bitdefender researchers said the attacks they observed were mainly against U.S. targets, however they also impacted companies in Poland, Kuwait, Austria and Turkey.
The impacted firms came from a variety of industries, including manufacturing, real estate, legal and arts and entertainment. But researchers said the attacks appear to be opportunistic, and not aimed at a specific industry.
Bitdefender outlined four different attack scenarios:
- After using the ProxyNotShell exploit chain, the attackers attempted to use two separate remote access tools: Meterpreter, a Metasploit attack payload, and ConnectWise Control, formerly known as ScreenConnect.
- Threat actors attempted to use web shells to install persistence on a compromised system, according to Bitdefender. The technique is usually used by initial access brokers, who then sell the compromised network to other groups.
- Threat actors, attributed as Cuba ransomware, attempted to use a ProxyNotShell exploit chain to execute PowerShell commands. The actors attempted to use a Bughatch downloader, but researchers based attribution on known indicators of compromise and reused infrastructure. Commands were blocked, but the attackers silently downloaded a legitimate remote support tool called GoToAssist.
- In the final scenario, threat actors tried to dump credentials from a security accounts manager database and local security authority subsystem service memory, likely to prepare for a ransomware attack.
Researchers from Palo Alto Networks say they have also observed a number of limited attacks using the same methods since November.
“As mentioned in our blog, OWASSRF uses the [Outlook Web Access] frontend endpoint to exploit CVE-2022-41080, which requires the actor to be authenticated to the server prior to exploitation,” said Robert Falcone, senior principal researcher, Unit 42 at Palo Alto Networks.
While the post authentication requirement “nixed the chance of mass scanning and exploitation,” Falcone said researchers have seen limited exploitation attempts against customers dating back to November.
Palo Alto Networks in its December blog post outlined an early attempt to execute an initial powershell-based backdoor that researchers dubbed SilverArrow, which in one case led to remote desktop access that allowed attackers to dump user credentials from memory, according to Falcone.
Palo Alto Networks said it saw an attempt to exploit OWASSRF on a semiconductor organization in Europe on Jan. 20 and an exploitation attempt on Jan. 17 to attack a Canadian healthcare organization.
A spokesperson for Microsoft said the reported method exploits systems that have not applied the company’s security updates and urged customers to access Exchange Server updates released in November.