New Wave of Cyberattacks Targeting MS Exchange Servers

Cybercriminals are leveraging two exploit chains (ProxyNotShell/OWASSRF) to target Microsoft Exchange servers, as warned by Bitdefender Labs.

Most of the attacks occurred in the U.S. in November 2022, but some organizations in Austria, Poland, and Turkey were also targeted.

Bitdefender Labs has shared its findings on a new wave of untargeted cyberattacks in which attackers are abusing two exploit chains to target on-premises MS Exchange servers.

Findings Review

Bitdefender noted that, at the end of November 2022, there was an increase in attacks leveraging two exploit chains identified as ProxyNotShell and OWASSRF to target MS Exchange servers. The researchers found that cybercriminals prefer to exploit on-premises Exchange servers 2013, 2016, and 2019.

Vulnerabilities explained

Attackers use two tactics in their new attacks against the MS Exchange servers. The first is the ProxyNotShell vulnerability, a combination of two already-disclosed vulnerabilities tracked as CVE-2022-41082 and CVE-2022-41080. It requires threat actors to authenticate to the vulnerable server; this vulnerability was patched in November 2022.

OWASSRF is the other vulnerability exploited in this attack chain. This exploit uses the same two vulnerabilities but in a different way. It is capable of bypassing the ProxyNotShell mitigation solutions; it was used in the Rackspace attack in December 2022.

Attack Details

Technically, the attack is called server-side request forgeries/SSRF. It allows threat actors to send a specially crafted request from a vulnerable server to another server to access resources and fulfil their malicious objectives on the vulnerable server.

Using the two vulnerabilities will allow the attacker to carry out remote code execution if they have the login credentials. They don’t necessarily have to be an administrator to perform desired actions, as any account can be used.

Microsoft patched these vulnerabilities on September 30th and November 8th, 2022. This means only those companies that haven’t yet fixed their systems are at risk. Most of the attacks occurred in the U.S. in November 2022, but some organizations in Austria, Poland, and Turkey were also targeted.

The attackers target companies from various sectors, including law and brokerage firms, real estate, consultancy firms, and wholesalers. So far, over 100,000 organizations worldwide have been targeted by SSRF attacks.

What is SSRF Attack?

SSRF attacks are increasingly popular among cybercriminals because, if a web app is vulnerable to SSRF, the attacker can send a request from the vulnerable server to any local network resource which isn’t otherwise accessible to the attacker. Otherwise, the attacker would send a request to an external server, e.g., a cloud platform, to carry out specific actions on behalf of the vulnerable server.

Related Posts