9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too.
Beginning December 20, 2022, Rapid7 has responded to an increase in the number of Microsoft Exchange server compromises. Further investigation aligned these attacks to what CrowdStrike is reporting as βOWASSRFβ, a chaining of CVE-2022-41080 and CVE-2022-41082 to bypass URL rewrite mitigations that Microsoft provided for ProxyNotShell allowing for remote code execution (RCE) via privilege escalation via Outlook Web Access (OWA).
Patched servers do not appear vulnerable, servers only utilizing Microsoftβs mitigations do appear vulnerable.
Threat actors are using this to deploy ransomware.
Rapid7 recommends that organizations who have yet to install the Exchange update (KB5019758) from November 2022 should do so immediately and investigate systems for indicators of compromise. Do not rely on the rewrite mitigations for protection.
The following on-prem versions of Exchange that have not applied the November 8, 2022 KB5019758 update are vulnerable:
In addition to the detection rules included in InsightIDR for Rapid7 customers, other IOCs include:
45.76.141[.]84
45.76.143[.]143
Example command being spawned by IIS (w3wp.exe):
Decoded command where the highlighted string (0x2d4c8f8f) is the hex representation of the IP address 45.76.143[.]143
Rapid7 has evidence of exploitation in the wild as far back as December 1, 2022.
Customers already have coverage to assist in assessing exposure to and detecting exploitation of this threat.
InsightVM and Nexpose added checks for CVE-2022-41080 and CVE-2022-41082 on November 8, 2022.
InsightIDR customers can look for the alerting of the following rules, typically seeing several (or all) triggered on a single executed command:
Additional detections currently being observed with follow-on activity in these compromises include:
Your customer advisor will reach out to you right away if any suspicious activity is observed in your organization.
Eoin Miller contributed to this article.
12/21/22 4PM ET: Updated IOC with EITW information.