blog

Latest data breach and vulnerability Weekly Latest Security Vulnerability of the Week 6/01/23 – Microsoft Exchange and OWASSRF, Rackspace Hack, Last pass data breach updates

Latest data breach and vulnerability Weekly Latest Security Vulnerability of the Week 24/10/22 - Microsoft Exchange and OWASSRF, Rackspace Hack, Last pass data breach updates


Previous Issues of vulnerability Weekly



Intro

This week we deep dive into the updates of proxynoshell, New Microsoft Exchanges vulnerabilities being exploited with OWASSRF, Rackspace data breach and Last Pass vault breach potential and class action



INFRA/Network

New Strain of attacks leveraging Microsoft Exchange Vulnerabilities OWASSRF 

A new strain of attacks is being used to compromise exchange endpoints. Attacker organizations like play leverage  this chaining methodology to exploit vulnerable exchange servers

The exploit is used to deploy persistent vulnerability systems that are later used to breach organizations.  

Attackers are leveraging this new technique, dubbed OWASSRF,  To bypass blocking rules for ProxyNotShell flaws in Microsoft Exchange Server to achieve remote code execution (RCE) through Outlook Web Access (OWA).

Microsoft addressed all three vulnerabilities as part of its Patch Tuesday updates for November 2022. It’s, however, unclear if CVE-2022-41080 was actively exploited as a zero-day alongside CVE-2022-41040 and CVE-2022-41082.

From latest Microsoft update: Microsoft released security updates for CVE-2022-41040 and CVE-2022-41082. We recommend that customers protect their organizations by applying the updates immediately to affected systems. The options described in the Mitigations section are no longer recommended. For more information, review the Exchange Team blog.

What is OWASSRF? 

OWASSRF is a new exploit used by malicious actors to bypass the mitigations suggested by Microsoft for the Microsoft Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082. These vulnerabilities, which allow for remote code execution and server-side request forgery, were initially referred to as ProxyNotShell. However, the new OWASSRF exploit is likely to target the critical security flaw CVE-2022-41080, which allows for remote privilege escalation on Exchange servers and has not previously been observed being exploited in the wild. This highlights the importance of regularly updating and patching your cloud systems to prevent vulnerabilities like these from being exploited.

What are Server-Side Request Forgery and Remote Code Execution Attacks?

Server-Side Request Forgery (SSRF) is an attack involving attackers accessing an application supporting data imports from URLs. It allows them to abuse the functionality of a server or manipulate the URLs by replacing them with new ones. When an attacker controls the URLs, they can give commands to the servers to read data to the tampered/altered URL. The attacker can use this type of attack to tricks the server into sending malicious requests to other servers or services that are accessible by the server, such as internal network services or databases. This attack can be used to gain access to sensitive information or launch other types of attacks, such as denial of service (DoS) attacks.

On the other hand, Remote Code Execution (RCE) involves an attacker executing malicious code on the systems remotely. Once the hacker gets into the system through RCE vulnerability, he can process malware execution or even have complete control over the affected system.

History:

On September 29, 2022, reports emerged of active exploitation of two zero-day vulnerabilities in Microsoft Exchange, which could allow remote code execution (RCE). Microsoft identified these vulnerabilities as CVE-2022-41040, a server-side request forgery (SSRF) vulnerability, and CVE-2022-41082, which allows RCE. These vulnerabilities were collectively referred to as ProxyNotShell. 

On December 20th, researchers detected a new exploit used by malicious actors to bypass the mitigations suggested by Microsoft and dub it OWASSRF. While the original ProxyNotShell exploits targeted CVE-2022-41040, the flaw used by the new exploit is likely to be CVE-2022-41080. This critical security flaw allows for remote privilege escalation on Exchange servers and has not previously been observed being exploited in the wild.  

Affected Products

The following on-prem versions of Exchange that have not applied the November 8, 2022 KB5019758 update are vulnerable:

  • Microsoft Exchange Server 2013
  • Microsoft Exchange Server 2016
  • Microsoft Exchange Server 2019

Microsoft, for its part, has tagged CVE-2022-41080 with an “Exploitation More Likely” assessment, implying despite fixes and countermeasures an attacker can create exploit code that could be utilized to weaponize the flaw reliably.

“The new exploit method bypasses URL rewrite mitigations for the Autodiscover endpoint,” CrowdStrike researchers Brian Pitchford, Erik Iker, and Nicolas Zilio said in a technical write-up published Tuesday.

Crowdstrike noticed that the initial access to the target environments was not achieved by directly exploiting CVE-2022-41040, but rather through the OWA endpoint.

The OWASSRF technique likely takes advantage of another critical flaw tracked as CVE-2022-41080 (CVSS score: 8.8) to achieve privilege escalation, followed by abusing CVE-2022-41082 for remote code execution.

How do attackers chain the vulnerabilities?

How do this vulnerability differ?

Figure 3. Difference between ProxyNotShell and the new OWASSRF exploit method (credit crowdstrike)

Microsoft released a blog advocating for a custom rewrite rule inside the Microsoft IIS server supporting Exchange. This rule was designed to match the decoded URI of any incoming request with the regex (?=.*autodiscover)(?=.*powershell), so the request is dropped when the decoded URI matches this regex. Microsoft provided the same rule through the Exchange Emergency Mitigation Service for newer on-premises servers, which installs it automatically.

The regex, and thus the rule, will match only the requests made to the Autodiscover endpoint of the Microsoft Exchange server. In the case of the exploit method described here as OWASSRF, the Autodiscover endpoint is not used, in lieu, and the request will not be dropped.

This first step provides a SSRF equivalent to the Autodiscover technique used in ProxyNotShell exploitation. The second step is simply the same exploit used in the second step of ProxyNotShell, allowing code execution through PowerShell remoting.

Further reading on the OWASSRF from Crwodstrike detailed analysis

Suggested next steps and update

All details in Microsoft blog: 

Security Updates are available in a self-extracting auto-elevating .exe package and the original update packages (.msp files), which can be downloaded from the Microsoft Update Catalog.

The November 2022 SUs are available for the following specific versions of Exchange Server:

The November 2022 Security Update contain fixes for the zero-day vulnerabilities reported publicly on September 29, 2022 (CVE-2022-41040 and CVE-2022-41082).

These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities addressed in these SUs and do not need to take action other than updating Exchange servers in their environment.

More details about specific CVEs can be found in the Security Update Guide (filter on Exchange Server under Product Family).

The following update paths are available:

thumbnail image 1 of blog post titled 			 																													Released: November 2022 Exchange Server Security Updates

OLD ACTORS remerge: Bling Eagle

Check Point’s latest research offers new insights into the Spanish-speaking group’s tactics and techniques, including sophisticated tools and government-themed lures to activate the killchain.

Some of the targeted banks consists of Banco AV Villas, Banco Caja Social, Banco de Bogotá, Banco Popular, Bancoomeva, BBVA, Colpatria, Davivienda, and TransUnion.

Should the email recipient be located outside of Colombia, the attack sequence is aborted, and the victim is redirected to the official website of the Colombian border control agency, Migración Colombia.

Latest Data Breaches & Security Incidents

Rackspace Data breach and security incident was confirmed due to ransomware from play group

Back in December (12/02/22) rack space had an outage of unknown nature

We are investigating an issue that is affecting our Hosted Exchange environments. More details will be posted as they become available.

On Jan 6th the online provider confirmed it was ransomware 

Rack space has spent quite an amount to transfer their Gousto MWR from infected server after visible downtime

The cloud provider confirmed Play was responsible for last month’s breach.

The security incident, which occurred on December 2, 2022, leveraged a previously unknown security exploit to gain initial access to the Rackspace Hosted Exchange email environment.

This zero-day exploit is associated with CVE-2022-41080,” the Texas-based company said. “Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include notes for [it] being part of a remote code execution chain that was exploitable.”

The sophisticated attack bypassed the initial countermeasures deployed as part of the suggested Microsoft recommendation

Only a small percentage of customer’s mailbox were compromised but there was no evidence of access to data 

the threat actor accessed the Personal Storage Table (.PST) of 27 customers out of a total of nearly 30,000 customers on the Hosted Exchange email environment.

A new technique, dubbed OWASSRF, employed by the Play ransomware actors was leveraged for this attack.

The mechanism targets Exchange servers that are unpatched against the ProxyNotShell vulnerabilities (CVE-2022-41040 and CVE-2022-41082) but have in place URL rewrite mitigations for the Autodiscover endpoint.

Last Pass Data Breach and Class action

Last Pass did detect, back in August 2022, threat actors accessing a different part of the organizational’s data and user data. The threat actors did access their cloud systems and repositories. At the time, the last pass notified users that nothing was accessed. 

Although the hackers did obtain some of LastPass’s source code and “proprietary LastPass technical information,” the company claims there is no evidence that user data or encrypted password vaults were stolen. The LastPass statement states:

“In response to the incident, we have deployed containment and mitigation measures and engaged a leading cybersecurity and forensics firm.”

More recently, Lass pass has disclosed:

Based on our investigation, we have learned that an unknown threat actor accessed a cloud-based storage environment leveraging information obtained from the incident we previously disclosed in August of 2022. 

The vault files are encrypted, but threat actors could decrypt – unlikely without access to additional information. Moreover, each vault has a different key, so each must be decrypted individually. Considering the access to the source code, the threat actors may try additional attempts to get material pertaining to the user domain and accelerate the breach.

Nonetheless, some of the information in the vault are unencrypted, so this might facilitate the attackers to speculate on the key, reducing the space of key brute-forcing and hence accelerating possible access. 

The breach includes other customer data, including names, email addresses, phone numbers, and billing information. And LastPass has long been criticized for storing its vault data in a hybrid format where items like passwords are encrypted but other information, like URLs, are not. 

According to last pass latest announcement 

 These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.

Should you stop using your password manager?

Should you stop using a password manager and storing your keys in another vault/document? Probably not, but be mindful of classic password hygiene and rules and rotate your passwords. 

the possibility of vaults to be broken by brute-forcing the key 

There has been a lot of speculation about vault encryption and actors from nation-state breaking the keys. 

Without specific knowledge of keys and password brute force is the only logical method.

In the case of asymmetric encryption algorithms (like RSA), quantum computing completely breaks them. However, for symmetric algorithms like AES, Grover’s algorithm – the best known algorithm for attacking these encryption algorithms – only weakens them. Grover’s algorithm decreases the effective key length of a symmetric encryption algorithm by half, so AES-128 has an effective key space of 2^64, and AES-256 has an effective key space of 2^128.

However, while this seems significant, it doesn’t break either algorithm. With the right quantum computer, AES-128 would take about 2.61*10^12 years to crack, while AES-256 would take 2.29*10^32 years. For reference, the universe is currently about 1.38×10^10 years old, so cracking AES-128 with a quantum computer would take about 200 times longer than the universe has existed.

An example

As a result, a brute force attack against an AES-256 key is much harder than against an AES-128 key. However, even a 128-bit key is secure against attack by modern technology. At its peak, the Bitcoin network – arguably the largest modern use of computational power for cryptography – performed approximately 150*10^18≈2^67 operations per second. Assuming that these operations are of equal difficulty to a brute force attack, it would take the Bitcoin network over 70,000,000,000,000,000,000,000,000 years to crack a single AES-128 key.

The Last pass Class action

A LastPass user has filed a class-action lawsuit against the password management provider for failing to prevent a recent, staggering data breach. The lawsuit, filed this week in the US district court in Massachusetts, comes from an anonymous LastPass user named John Doe

Previous Issues of vulnerability Weekly




Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.

Discuss this blog with our community on Slack

Join our AppSec Phoenix community on Slack to discuss this blog and other news with our professional security team

From our Blog

Contextual vulnerability management is a comprehensive approach to identifying, analyzing, and mitigating vulnerabilities in software and cloud infrastructure. It involves considering the specific context and environment in which vulnerabilities exist, including the software and hardware components, the network infrastructure, and the organizational policies and processes in place. By adopting this approach, organizations can more effectively assess and mitigate the risks posed by vulnerabilities, helping to protect their assets and maintain the security of their systems and networks.
Francesco Cipollone
Cyber security risk is challenging to calculate. Real-Time context, Cyber threat intelligence, Ownership Vulnerabilities, all part of the same continuum ->
Alfonso Eusebio
In today’s digital world, cyber threats are a real and growing concern for organizations of all sizes. As the threat landscape continues to evolve. we explore in this blog how to threat treats, which one to use in your prioritization strategy
Sally Turner

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.

x Logo: ShieldPRO
This Site Is Protected By
ShieldPRO