Mitigation for Exchange Servers Hafnium Zero-day vulnerabilities

Posted by Zevenet | 18 March, 2021 | Technical

Even though it has been only a few months since the already famous attack on the SolarWinds supply chain, again we have to write about another hacking issue, this time related to Microsoft Exchange Server.

In this case, the Zero-day vulnerabilities found in Microsoft Exchange Server 2013, 2016, and 2019 permit an attacker to exploit them with impact to several organizations and businesses with on-premises Exchange Servers that enable access to email accounts and even installation of malware to allow long-term access to such servers. Microsoft detected the attacks from the Hafnium group, but also, others could have been using these 0-day exploits now that the attacks have been public.

These vulnerabilities have been registered and documented with the codes CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, and all of these have been addresses so urgent updates are strongly recommended to customers.

If you’re concerned about these attacks, we recommend implementing high availability solution plus a web application firewall in order to mitigate them, like the ZEVENET solution. If the Exchange Server update is not possible, Microsoft recommends implementing the following mitigations:

1. Trusted users mitigation: Access to the Microsoft Exchange Servers for trusted users only via VPN service.
2. Backend Cookie Mitigation: Implement a Web Application Firewall rule to filter the malicious HTTPS requests using X-AnonResource-Backend and malformed X-BEResource cookies in the headers used in the SSRF attacks.
3. Unified Messaging mitigation: Disable UM
4. Exchange Control Panel mitigation: Disable ECP VDir
5. Offline Address Book mitigation: Disable OAB VDir

At ZEVENET, we’ve been working to implement those very easily via the WAF module and brand new VPN services. Also, high availability, additional security, and load balancing for Exchange Servers can be implemented with ZEVENET:

https://www.zevenet.com/knowledge-base/howtos/high-availability-and-site-resilience-for-microsoft-exchange-2016-owa-cas-array-and-dag/

Don’t doubt to contact us to have more details on how to implement those mitigations!

Official info related to these Microsoft vulnerabilities:

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/

SHARE ON:

Related Blogs

Posted by zenweb | 20 July 2022
A network operations center (NOC) is a central location where IT teams in an organization monitor the performance of a network. The NOC provides servers, databases, hard disk space, and…
16 LikesComments Off on Network Operations Center, Definition and Top 4 Best Practices
Posted by zenweb | 11 July 2022
Introduction The process of achieving and maintaining PCI DSS Compliance is not easy for any organization. Be it a large-scale organization, mid-sized firm, or a small company, PCI DSS can…
14 LikesComments Off on What Preparations are required for PCI DSS Compliance?
Posted by zenweb | 04 July 2022
Cyber Security has evolved very quickly over the years, from an IT issue to an issue to be used in businesses. It has been demonstrated that Cyber attacks can be…
11 LikesComments Off on 5 Benefits of Investing in Cyber Security & IT solutions in 2022