CVE-2021-26855 (SSRF) HAFNIUM APT Group Exploiting Microsoft Exchange Vulnerabilities

Recently, Microsoft has issued an out of band patch that aims to mitigate seven Remote Code Execution vulnerabilities in Microsoft Exchange. Microsoft Threat Intelligence Center (MSTIC) has observed active exploitation of four of those vulnerabilities in the wild. 


Figure 1: Microsoft Exchange 0-Day vulnerabilities exploited in the wild


The attacks are attributed to an APT group named HAFNIUM, which exploited those vulnerabilities mainly against targets from different industry sectors in the United States. After gaining access to the vulnerable Exchange servers HAFNIUM operators exfiltrated data like Exchange address book from the compromised server.


Currently there are no public technical details on the vulnerabilities neither proof of concept exploits for those. Meanwhile we have successfully recreated the exploit flow for the insecure deserialization vulnerability (CVE-2021-26857) and we have released a dedicated attack signature for mitigating it.


We will continue the analysis process for rest of the vulnerabilities, and we are closely monitoring for public POC exploits related to them.


Mitigating CVE-2021-26855 and CVE-2021-26857 with Advanced WAF

Advanced WAF customers under any supported version are already protected against those vulnerabilities as exploitation attempts will be detected by a dedicated signatures recently released. The signatures could be found under the "Server Side Code Injection Signatures” and "Other Application Attacks Signatures" signature sets.


Figure 2: CVE-2021-26855 Exploit attempt blocked by signature id 200018127


Figure 3: CVE-2021-26855 Exploit attempt blocked by signature id 200018128


Figure 4: CVE-2021-26857 Exploit attempt blocked by signature id 200104705


Mitigating CVE-2021-26855 and CVE-2021-26857 with Threat Campaigns


Advanced WAF customers with Threat Campaign license could detect and block campaigns targeting those vulnerabilities with the following Threat Campaigns:

  • Microsoft Exchange Resource Cookie SSRF
  • Microsoft Exchange ContactInfo Unsafe Deserialization


Figure 5: CVE-2021-26855 Exploit attempt blocked by Threat Campaigns feature

Figure 6: CVE-2021-26857 Exploit attempt blocked by Threat Campaigns feature


Additional References

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

Published Mar 04, 2021
Version 1.0
  • Wei's avatar
    Wei
    Icon for Nimbostratus rankNimbostratus

    May I know when the official publishment will be released?

  • xaxe's avatar
    xaxe
    Icon for Altostratus rankAltostratus

    Hi,

     

    We're running Exchange (OWA) behind an F5 using the Exchange 2016 IAPP which presents the F5 forms based logon before even displaying the Exchange/OWA logon screen.

     

    We are scrambling to patch the server, however are we protected by us being behind the IAPP/F5?

     

     

     

     

     

     

  • Xaxe - You need Advanced WAF / ASM license in order to protect OWA using the signatures we mentioned.