12-21-2022 , 09:00 AM
![[Image: OWASSRF%20PoC%20exploit.png]](https://www.bleepstatic.com/images/news/u/1109292/2022/OWASSRF%20PoC%20exploit.png)
Quote:Play ransomware threat actors are using a new exploit chain that bypasses ProxyNotShell URL rewrite mitigations to gain remote code execution (RCE) on vulnerable servers through Outlook Web Access (OWA).
Cybersecurity firm CrowdStrike spotted the exploit (dubbed OWASSRF) while investigating Play ransomware attacks where compromised Microsoft Exchange servers were used to infiltrate the victims' networks.
To execute arbitrary commands on compromised servers, the ransomware operators leveraged Remote PowerShell to abuse the CVE-2022-41082, the same bug exploited by ProxyNotShell.
In each case, CrowdStrike reviewed the relevant logs and determined there was no evidence of exploitation of CVE-2022-41040 for initial access," the researchers said.
"Instead, it appeared that corresponding requests were made directly through the Outlook Web Application (OWA) endpoint, indicating a previously undisclosed exploit method for Exchange."
While ProxyNotShell exploits target CVE-2022-41040, CrowdStrike found that the flaw abused by the newly discovered exploit is likely CVE-2022-41080, a security flaw Microsoft tagged as critical and not exploited in the wild that allows remote privilege escalation on Exchange servers.
Continue reading HERE