Bitdefender warns of an increase in cyberattacks on on-premises deployments of Microsoft Exchange Server 2013, 2016 and 2019.

The security company witnessed a recent rise in ProxyNotShell and OWASSRF, two tactics for attacks on Microsoft Exchange Server.

The tactics exploit two known vulnerabilities: CVE-2022-41082 and CVE-2022-41080. The vulnerabilities were patched by Microsoft on September 30 and November 8, respectively. Only companies with outdated versions are at risk.

ProxyNotShell and OWASSRF

Bitdefender included a detailed description of the techniques behind ProxyNotShell and OWASSRF in its advisory. To summarize, the combination of the vulnerabilities mentioned above allows for remote code execution.

The only condition is that the attacker has the login credentials of a user. This doesn’t have to be an administrator: any account will do.

Most of the incidents detected by Bitdefender since November 2022 took place in the United States. Companies in Poland, Austria and Turkey were hit as well. Targets are diverse, ranging from brokerages and law firms to wholesalers and consultancy companies.

SSRF attacks

Both ProxyNotShell and OWASSRF are categorized as SSRF attacks, short for server-side request forgery. Some systems only listen to trusted servers. An SSRF attack involves a hacker hijacking or manipulating a trusted server to reach a system.

The problem in Microsoft Exchange stems from Client Access Services (CAS), a part of the application responsible for all external HTTP/HTTPS requests. CAS determines a user’s identity, for instance, to inform the application whether or not a user should have access to a mailbox.

Various parts of Microsoft Exchange listen to CAS. In 2021, security researchers discovered that CAS was vulnerable to SSRF attacks. Among other exploits, hackers abused CAS to access mailboxes.

Mitigation

Companies using the latest versions of Microsoft Exchange are safe at the time of writing. Every related vulnerability has been patched by Microsoft. That doesn’t stop cybercriminals from attacking companies with outdated versions.

Bitdefender advises organizations to invest in patch management. In addition, the security company points to the effectiveness of threat intelligence solutions, which recognize suspicious IP addresses to block requests.

Tip: Exchange Server 2013 reaches end-of-support on April 11