Threat actors affiliated with a ransomware strain known as Play are leveraging a never-before-seen exploit chain that bypasses blocking rules for ProxyNotShell flaws in Microsoft Exchange Server to achieve remote code execution (RCE) through Outlook Web Access (OWA).
"The new exploit method bypassesΒ URL rewrite mitigationsΒ for theΒ Autodiscover endpoint," CrowdStrike researchers Brian Pitchford,
Microsoft has updated its mitigation measures for the newly disclosed and actively exploited zero-day flaws in Exchange Server after it was found that they could be trivially bypassed.
The two vulnerabilities, tracked as CVE-2022-41040 and CVE-2022-41082, have been codenamedΒ ProxyNotShellΒ due to similarities to another set of flaws calledΒ ProxyShell, which the tech giant resolved last year.
Nicknamed ProxyNotShell, a new exploit used in the wild takes advantage of the recently published Microsoft Server-Side Request Forgery (SSRF) vulnerability CVE-2022-41040 and a second vulnerability, CVE-2022-41082 that allows Remote Code Execution (RCE) when PowerShell is available to unidentified attackers.
Based on ProxyShell, this new zero-day abuse risk leverage a chained attack similar to