Microsoft Exchange Servers Hacked by Hafnium

March 16, 2021

Microsoft Exchange Servers Hacked by Hafnium

If your company subscribes to Microsoft 365 or Exchange Online, rest easy. You are safe. (This includes all Lighthouse Technology Partners customers.)

According to Microsoft, thousands of other self-managed small businesses’ Exchange Mail Servers were breached. This was discovered last Tuesday. Microsoft minimized the hacking attacks, which took advantage of unpatched servers. Microsoft Vice President, Tom Burt reported a state sponsored Chinese group named Hafnium executed “limited and targeted attacks” through leased virtualized Exchange Servers. “Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems,” Burt said.  

By Today though, it was reported that these were devastating attacks, much worse than the recent SolarWinds events. Over 30,000 businesses and local government accounts are known to be compromised, however the number could exceed 250,000, according the Wall Street Journal. The method of attack is very sophisticated with hackers gaining access through conventional phishing, then controlling the servers remotely, and harvesting troves of organizational and personal data. There is a last step, the scope of which is not yet fully understood: Malware has been injected into these compromised infrastructure environments. Currently, it is unclear what this malware does. 

This is now a global event, not just affecting U.S. organizations. Microsoft is working with the government’s Cybersecurity & Infrastructure Security Agency (CISA) to issue emergency directives for organizations to patch critical vulnerabilities. 

This crisis raises critical questions as to why the same failures are repeated by organizations slowly to modernize and maintain their computing environments. Moving from self-maintained Exchange servers was merely the plucking of the very lowest hanging fruit to be moved to the cloud. Additionally, the management of these servers is a drain on every organization’s greatest resource, time. Many falsely believed they could do this better than Microsoft’s public cloud offering, Exchange Mail Online; the email service available a la carte’ or as a part of Microsoft 365 subscriptions. Twelve years ago, every business managed their own Exchange Mail servers, or paid someone to do it for them. This is much less common today. 

IT Managers and business operators who still want “control” of their own physical, on-premises Exchange Mail servers or self-managed virtualized versions of these in cloud-hosted environments only fool themselves. This is a failure of judgement and only a halfway step to the management and security benefits of a more complete digital transformation and its coincidental lower-cost subscription service model.  

The math and logic are simple. 

It is not worth the expense of maintaining redundancy, high availability, business continuity, and backups for one’s own self-built infrastructure. No matter what the self-operator does, the cost of the infrastructure and maintenance is multiple times more expensive; And not close to being as reliable as simply paying Microsoft less to do it better. Do-it-yourself email operation is simply not the best practice for any small or medium-sized organization.  

The next mistake is the lack of institutional commitment to cybersecurity training. Regardless of who manages your technology, the human factor is almost always the weakest and first point of failure. There is no replacement for vigilance, and this must be persistent, regular, varied, and forever. It was Andy Grove, the founder of Intel who authored the book, “Only the Paranoid Survive.” It’s true. This must be enhanced by a perpetual hardening of your environment’s security profile using AI and security best practices on an IT management level. Anything less is an open invitation. The most devastating security breaches are to those environments that don’t detect nefarious remote access and behaviors with bad intentions. According to IBM, research suggests the average time to detect and contain a data breach is 280 days (about 9 months)! 

The last word: IT professionals make the same mistakes, repeatedly: Not applying the latest security patches because they believe they should wait to “work the bugs out.” Unpatched servers or appliances are the second most common vulnerability successfully exploited offering bad actors undetected access into companies with an infrastructure not designed and operated with adherence to best practices (NIST Framework). If a network manager is not going maintain such an environment, they most certainly better apply patches. There is no bigger bug than Hafnium.