Security companies discover new blackmail vulnerabilities by bypassing Microsoft Exchange's ProxyNotShell mitigation measures 01/21 Update SLTechnology News&Howtos

Security companies discover new blackmail vulnerabilities by bypassing Microsoft Exchange's ProxyNotShell mitigation measures

2025-01-21 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > IT Information >

Shulou(Shulou.com)11/24 Report--

CTOnews.com, December 22 (Xinhua)-- cyber security company CrowdStrike recently discovered a new loophole called "OWASSRF" after investigating a number of Google Play blackmail software. Hackers use this vulnerability to bypass Microsoft ProxyNotShell URL rewriting mitigation measures and execute remote code via Outlook Web Access (OWA).

After an in-depth investigation of "OWASSRF", security experts found that the common entry vectors suspected are Microsoft Exchange ProxyNotShell vulnerabilities CVE-2022-41040 and CVE-2022-41082. The team also found that initial access to the target network was not achieved through direct use of CVE-2022-41040, but through OWA endpoints.

"the new approach bypasses the URL rewriting mitigation provided by Microsoft to automatically discover endpoints in response to ProxyNotShell," CrowdStrike researchers said in a blog post on December 20. This seems to be a novel and previously undocumented way to access PowerShell remote services through OWA front-end endpoints rather than using auto-discovery endpoints.

CTOnews.com learned that although ProxyNotShell exploited CVE-2022-41040, CrowdStrike discovered that the newly discovered exploit may have exploited another serious vulnerability, which was traced to CVE-2022-41080 (CVSS score: 8.8) and had previously been abused by CVE-2022-41082 for remote code execution.

"after initial access through this new utilization method, threat actors use legitimate Plink and AnyDesk executables to maintain access and perform anti-forensics techniques on the Microsoft Exchange server to try to hide their activities," CrowdStrike added.

Microsoft addressed these three vulnerabilities during the November patch Tuesday. "threat actors are likely to continue to exploit Microsoft Exchange vulnerabilities and innovate the deployment of destructive blackmail software," said Thomas Etheridge, chief global professional services officer at CrowdStrike.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.