Cybercriminals escalating assaults on Exchange Servers, capitalizing on vulnerabilities

In a series of recent cyber attacks, threat actors have been exploiting vulnerabilities in Microsoft Exchange Servers, primarily targeting U.S. companies but also impacting firms in Poland, Kuwait, Austria, and Turkey. The attacks, which do not appear to be aimed at a specific industry, seem opportunistic in nature.

Palo Alto Networks was among the first to outline an early attempt to execute an initial PowerShell-based backdoor named SilverArrow. Since then, researchers from the company have observed limited attacks using similar methods since November. The exploitation methods observed by Palo Alto Networks use the Outlook Web Access frontend endpoint to exploit CVE-2022-41080.

In one case, SilverArrow led to remote desktop access, allowing attackers to dump user credentials from memory. In another scenario, threat actors tried to dump credentials from a security accounts manager database and local security authority subsystem service memory, likely in preparation for a ransomware attack.

Researchers from Bitdefender Labs have observed an increase in attacks using ProxyNotShell/OWASSRF exploit chains targeting on-premises Microsoft Exchange Server deployments since late November. The attacks exploit systems that have not applied Microsoft's security updates. Threat actors were observed attempting to use web shells to install persistence on a compromised system, a technique usually employed by initial access brokers.

Cuba ransomware actors were found attempting to use a ProxyNotShell exploit chain to execute PowerShell commands and download a Bughatch downloader. In one scenario, attackers attempted to use Meterpreter, a Metasploit attack payload, and ConnectWise Control, formerly known as ScreenConnect, after using the ProxyNotShell exploit chain.

Palo Alto Networks mentioned an attempt to exploit OWASSRF in a December blog post. Researchers attributed this to known indicators of compromise and reused infrastructure. CrowdStrike previously disclosed the use of Play ransomware in attacks employing server-side request forgery techniques.

Microsoft urged customers to access Exchange Server updates released in November to protect against these types of attacks. However, there is no publicly available detailed list specifying which companies outside the mentioned countries were affected by the ProxyNotShell/OWASSRF exploit chain and related attack techniques.

In response to these attacks, researchers from various organisations have outlined different attack scenarios. Bitdefender researchers, for instance, outlined four different attack scenarios. Despite the ongoing threats, staying vigilant, keeping systems updated, and being aware of potential attack methods can help organisations protect themselves against these cyber threats.

Cybercriminals escalating assaults on Exchange Servers, capitalizing on vulnerabilities