In March 2021, Microsoft announced four significant “zero day” vulnerabilities that affected on premise Exchange email servers. It has been dubbed the Hafnium vulnerability because that is the name of a hacker group out of China observed actively exploiting these vulnerabilities all over the world. It is believed they are backed by the Chinese government and are well funded. The Hafnium vulnerabilities are classified as “zero days” because they were previously unknown software flaws that were being actively exploited.
Four patches were made available to address the vulnerabilities, which if exploited, could allow an anonymous attacker access to the system to install remote control software. Because Exchange servers are woven deeply into networks, should an attacker take control of the server, they would very quickly be able to take over the entire internal network with administrative rights, including access to user accounts and data stored within the internal Microsoft network, and do all this potentially undetected.
The vulnerability has reportedly been exploited on tens of thousands of Exchange servers all over the world. Because the patch does not protect previously exploited systems, patching alone may not be enough to protect the server, leaving thousands of networks potentially still vulnerable and needing extensive work to clean up. It is extremely difficult to clean a fully Hafnium-compromised network, with the only real path forward to tear it down and completely rebuild it, resulting in a huge clean up effort for overworked IT staff.
Hafnium could well be the most significant and pervasive security problem for Microsoft networks in the last 20 years. What can we learn from it to be better prepared for the next zero day?
1. Prompt patching of everything on your network is critical
While Hafnium caught everyone flat footed, the criticality of prompt and thorough patching of all network attached equipment cannot be overstated. It is the single most important step you can take for your cybersecurity hygiene.
Know what’s on your network. Patching must go beyond Microsoft software; your IT team must have a solid and reliable inventory of all equipment attached to the network. This includes routers, firewalls, switches, Wi-Fi devices, VMware, and non-Microsoft software on your PCs such as Adobe, Firefox, and others.
Subscribe to vendor email lists and track their software and security releases. Apply them as soon as practicable. Establish a patching routine and stick to it, even if patching is painful (and it is). Microsoft releases patches the second Tuesday of every month. Understand patching cannot always be thoroughly tested and will break things from time to time. Make sure your team has a back out plan and support them if things go wrong.
2. Never allow users to operate as an administrator
With one simple phishing email, an attacker can take complete control of your network if they can dupe a user with administrator privileges. Have as few administrator accounts as possible, use them sparingly (only when needed), and monitor them for use and unexpected password changes. Monitor for the creation of any unexpected administrator accounts.
3. Limit your Internet accessible footprint
Understand your firewall. Audit it at minimum annually and document the business purpose of each rule.
Apply the concept of least privilege access: your firewall should only allow traffic that is required for your credit union to function and no more. Extra or unnecessary services increase the likelihood one will be compromised.
Clean out old or stale rules promptly. Use checklists for adding or removing devices and applications that include a review of the firewall.
4. Restrict outbound internet access
This often-overlooked principle can greatly reduce the damage an attacker can commit. Disable anonymous outbound Internet access from your credit union’s network. Only known user accounts with the need to access internet resources should be allowed. Block all others including administrator accounts and accounts that services such as Exchange use.
Only permit services needed to operate the credit union, such as HTTP and HTTPS. Block other file transfer services such as FTP and SSH. Use a web filter to restrict access to sites needed for business use. Block all others.
5. Apply the Battlestar Galactica principle
The rebooted Battlestar Galactica series featured an episode where it was explained that the ship’s computers were not hooked to any outside networks in order to prevent being taken over by hostile forces.
Use this same principle wherever possible. Be slow to hook up devices to the internet, because they will naturally attract attention from bad actors.
Avoid attaching Internet of Things devices to your network if at all possible or use an isolated network with no access to your internal network. Smart devices like thermostats, cameras, and media control panels are not typically designed with cybersecurity in mind and vendors almost never release security updates for their firmware. Avoid attaching these to your internal network at all costs.
6. Use vulnerability scanning tools
These tools are becoming more commonly available as services you can easily rent. Assess and correct all new devices and software for security deficiencies before introducing them to your network. Scan regularly to discover new vulnerabilities in existing networks and to verify patching activities.
7. Build muscle memory with regular incident response drills
Speed is of the essence. Your teams need to react quickly when new zero days are discovered. Hafnium struck very fast and had thousands of servers compromised within hours. Your teams must be able to pivot to addressing newly announced vulnerabilities in real time.
Live out your incident response plan. Use real world events like Hafnium to activate your plan and assess the risks. Document your activities, even if you have no risk or were not breached.
Be ready for when you are breached. The more you practice (and there are multiple events to pick from every month), the more your team will be ready for an actual event.
8. When chased by a bear, you just need to be faster than the next guy
Cyber thieves operate like a business. They have costs to operate, and unless motivated by a personal vendetta, will typically not spend more time compromising a target than the potential payoff. Your cybersecurity doesn’t have to be perfect, but it does have to be better than the average business.
Clean up the low hanging fruit described above to drive up the expense of targeting your network, and most attackers will move on to greener pastures.