SSRF attacks hit 100,000 businesses globally since November

Security teams are warned to be on the lookout for a growing wave of opportunistic and largely untargeted cyber attacks exploiting two related exploit chains to target Microsoft Exchange servers.

This is according to Bitdefender Labs, which noted an uptick in attack volumes beginning at the end of November 2022. The attacks are technically known as server-side request forgeries (SSRF), and are rapidly becoming widely popular and routinely exploited by the cyber criminal underground – mainly because Microsoft Exchange is so widely used.

In an SSRF attack, a threat actor sends a specially crafted request from a vulnerable server to another server on the vulnerable server’s behalf, and thus becomes able to access resources or information not directly accessible to them, and perform actions on the vulnerable server’s behalf.

There are two exploit chains currently under active exploitation. The first is ProxyNotShell, a combination of two disclosed vulnerabilities, CVE-2022-41080 and CVE-2022-41082 that requires the threat actor to authenticate to the vulnerable server, and was patched by Microsoft in November 2022.

The second is known as OWASSRF. This is a slightly different exploit chain that uses the same two vulnerabilities, albeit slightly differently in such a way that it can bypass the ProxyNotShell mitigations. OWASSRF was used in the December 2022 Rackspace attack.

The research team claims that more than 100,000 organisations globally have fallen victim to SSRF attacks in the past couple of months, with the majority of victims in the US and Europe. Victims were found in multiple sectors including arts and entertainment, consultancy, legal, manufacturing, real estate and wholesale.

“While the initial infection vector keeps evolving and threat actors are quick to exploit any new opportunity, their post-exploitation activities are familiar. The best protection against modern cyber attacks is a defence-in-depth architecture,” the Bitdefender team wrote.

“Start with reducing your attack surface, focusing on patch management – not only for Windows but for all applications and internet-exposed services), and detection of misconfigurations.

“The next security layer should be reliable world-class protection controls that can eliminate most security incidents, using multiple layers of security, including IP/URL reputation for all endpoints, and protection against fileless attacks.

“Implementing IP, domain, and URL reputation…is one of the most effective methods to stop automated vulnerability exploits. According to analysis in the Data breach investigations report 2022, only 0.4% of the IPs that attempted RCEs were not seen in one of the previous attacks. Block bad IPs, domains or URLs on all devices, including endpoints, and prevent a security breach in your business environment.

“Finally, for the few incidents that get through your defenses, lean on security operations, either in-house or through a managed service, and leverage strong detection and response tools. Modern threat actors often spend weeks or months doing active reconnaissance on networks, generating alerts and relying on the absence of detection and response capabilities,” they said.

The Bitdefender team found evidence of multiple different types of cyber attacks taking advantage of the two exploit chains.

Among them were the deployment of remote access and administration tools, the use of web shells, likely by initial access brokers (IABs), the deployment of the Cuba ransomware, and the theft of credentials.