Recently, Microsoft has issued an out of band patch that aims to mitigate seven Remote Code Execution vulnerabilities in Microsoft Exchange. Microsoft Threat Intelligence Center (MSTIC) has observed active exploitation of four of those vulnerabilities in the wild.
Figure 1: Microsoft Exchange 0-Day vulnerabilities exploited in the wild
The attacks are attributed to an APT group named HAFNIUM, which exploited those vulnerabilities mainly against targets from different industry sectors in the United States. After gaining access to the vulnerable Exchange servers HAFNIUM operators exfiltrated data like Exchange address book from the compromised server.
Currently there are no public technical details on the vulnerabilities neither proof of concept exploits for those. Meanwhile we have successfully recreated the exploit flow for the insecure deserialization vulnerability (CVE-2021-26857) and we have released a dedicated attack signature for mitigating it.
We will continue the analysis process for rest of the vulnerabilities, and we are closely monitoring for public POC exploits related to them.
Mitigating CVE-2021-26855 and CVE-2021-26857 with Advanced WAF
Advanced WAF customers under any supported version are already protected against those vulnerabilities as exploitation attempts will be detected by a dedicated signatures recently released. The signatures could be found under the "Server Side Code Injection Signatures” and "Other Application Attacks Signatures" signature sets.
Figure 2: CVE-2021-26855 Exploit attempt blocked by signature id 200018127
Figure 3: CVE-2021-26855 Exploit attempt blocked by signature id 200018128
Figure 4: CVE-2021-26857 Exploit attempt blocked by signature id 200104705
Mitigating CVE-2021-26855 and CVE-2021-26857 with Threat Campaigns
Advanced WAF customers with Threat Campaign license could detect and block campaigns targeting those vulnerabilities with the following Threat Campaigns:
Microsoft Exchange Resource Cookie SSRF
Microsoft Exchange ContactInfo Unsafe Deserialization
Figure 5: CVE-2021-26855 Exploit attempt blocked by Threat Campaigns feature
Figure 6: CVE-2021-26857 Exploit attempt blocked by Threat Campaigns feature