Microsoft Exchange servers exploited with OWASSRF

Executive Summary

In December 2022, Telsy Incident Response Team was called upon to handle a cyber security incident. The analysis conducted detected the execution of PowerShell code by exploiting a vulnerability in Microsoft Exchange.

Further investigation aligned these attacks to what CrowdStrike is reporting as 'OWASSRF', a chaining of CVE-2022-41080 and CVE-2022-41082 to bypass URL rewrite mitigations that Microsoft provided for ProxyNotShell allowing for remote code execution (RCE) via Outlook Web Access (OWA).

After exploiting these vulnerabilities, in which the actor used a PowerShell-based backdoor to execute commands on the Exchange server, the actor created a local administrator account and used living-off-the-land binaries (LOLBins) as part of his attacks. For example, it used Task Manager to dump Local Security Authority Server Service (LSASS) processes.

During the discovery phase, the actor collects more details about the AD environment. We observed that AD queries and scanning activity for remote systems were performed by different tools, such as Microsoft Nltest, SharpHound and GRB_NET.

After this phase, lateral movement activities were detected with the use of PsExec and the creation of a Windows task to ensure persistence through the execution of the malware SystemBC. SystemBC is a proxy malware that has been used in various ransomware attacks.

Indeed, the analysis revealed that the actor used elements of the network[1] infrastructure and tools already observed in past ransomware attacks conducted by groups such as BlackBasta, Hive, and Play.

 

[1] https://www.cisa.gov/uscert/ncas/alerts/aa22-321a


 

Fill out the form below to download the full report

    Terms & Conditions

    Check other cyber reports on our blog.

    This report was produced by Telsy’s “Cyber Threat Intelligence” team with the help of its CTI platform, which allows to analyze and stay updated on adversaries and threats that could impact customers’ business.