Microsoft advises users to maintain their Exchange servers up to date as well as take precautions such turning on Windows Extended Protection and setting up certificate-based signing of PowerShell serialisation payloads.
The software giant’s Exchange Team stated in a post that attackers attempting to target unpatched Exchange servers would not stop. The value of unpatched on-premises Exchange infrastructure to hostile actors attempting to steal data or carry out other wrongdoing is too great.
Microsoft also noted that the mitigations it has released are only a temporary fix and may “become insufficient to guard against all permutations of an attack,” requiring users to instal the required security upgrades in order to secure the server.
This week’s release of a technical advisory from Bitdefender included a description of Exchange as a “perfect target” as well as a timeline of some of the actual attacks that have used the ProxyNotShell / OWASSRF exploit chains from late November 2022.
Exchange has a complicated network of frontend and backend services, as well as old code for backward compatibility, according to Martin Zugec of Bitdefender. The requests coming from the front-end [Client Access Services] layer are trusted by backend services.
Numerous backend services are run by Exchange Server itself, which has SYSTEM privileges, which is another reason. Additionally, the exploits could give the attacker unauthorised access to the remote PowerShell service, effectively opening the door for the execution of malicious commands.
To that purpose, attacks utilising the ProxyNotShell and OWASSRF weaknesses have targeted the Austrian, Kuwaiti, Polish, Turkish, and United States-based consultancy, legal, manufacturing, real estate, and wholesale sectors
. Infections that aim to establish web shells and remote monitoring and management (RMM) tools like ConnectWise Control and GoTo Resolve are considered to be the culmination of the majority of attacks, which are described as being opportunistic rather than focused and targeted.
With web shells, criminals can do a variety of additional tasks and even resell access to other hacker groups for a profit in addition to providing a persistent remote access technique.
It’s possible that the same technique was employed to increase the scope of the assaults because in some instances the staging servers used to host the payloads were already infected Microsoft Exchange servers.
Adversaries’ unsuccessful attempts to download Cobalt Strike and a Go-based implant with the codename GoBackClient that can acquire system information and generate reverse shells were also seen.
The developers of Cuba (also known as COLDDRAW) ransomware, UNC2596 (also known as Tropical Scorpius), have a history of abusing Microsoft Exchange vulnerabilities. In one attack, the BUGHATCH downloader was dropped using the ProxyNotShell exploit sequence.
Although the original infection vector is constantly changing and threat actors are eager to take advantage of every new chance, Zugec said that their post-exploitation activities are well known. A defense-in-depth architecture is the best defence against contemporary cyberattacks.