Forum Discussion

Abed_AL-R's avatar
Abed_AL-R
Icon for Cirrostratus rankCirrostratus
Mar 04, 2021

hafnium attack | exchange iapp

Hi

we're publishing the owa/outlook through f5 ltm and yesterday we received and update that new kind of attack is targeting exchange servers

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

is there anything else we can do on f5 machine other than updating our exchange servers to prevent this kind of attack?

today we are implementing owa web access through apm and 2fa , and direct access to other URLs like:

"/microsoft-server-activesync*"
"/ews*"
"/enterprisevault/*"
"/autodiscover*"
"/mapi*" 
"/ecp*"
"/oab*"

Has anyone went through this?

iApps
LTM
security

3 Replies

Sort By
  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Mar 04, 2021

    APM seems like the way to go, if you add authentication before traffic reaching the Exchange server you have a good protection.

     

    it remains kinda unclear in which path the attacks focus, this website suggests one. but things move quickly probably.

     

    https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/

     

    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP
      Mar 06, 2021

      if you have ASM / AWAF this is useful to check:

       

      https://devcentral.f5.com/s/articles/HAFNIUM-APT-Group-Exploiting-Microsoft-Exchange-Vulnerabilities

      • Abed_AL-R's avatar
        Abed_AL-R
        Icon for Cirrostratus rankCirrostratus
        Mar 07, 2021

        Thank you boneyard :) Great articles

        We do have the APM along with 2fa on the OWA

        we'll check also the ASM option

        I saw also that DevCentral published ASM template to have OWA in blocking mode from day one

        https://devcentral.f5.com/s/articles/new-asm-outlook-web-access-owa-2016-template-for-bigip-v13-29413