Gavin Wood is the Chief Technology Officer at Chess. With over 20 years in the IT industry, Gavin has a track record of driving successful business transformation through technology. An avid yachtsman, he's a massive advocate for remote working and anywhere operations.
Our CTO, Gavin Wood, analyses the HAFNIUM attack and recommends best practice to ensure you have improved your security posture. In this article, he covers:
If you googled hafnium before the 2nd of March you would have found the top result referring to a chemical element with the symbol HF and atomic number 72. Now the word hafnium or HAFNIUM (all CAPS and shouty) has come to mean something much more serious in the cybersecurity world.
What is HAFNIUM?
HAFNIUM refers to several different aspects of a significant cybersecurity incident first identified in early March. The first aspect of this incident is where the name originates. Hafnium is the name given by Microsoft's Threat Intelligence Centre (MSTIC) to a state-sponsored threat actor group that operates from China.
The second element that makes up the incident known as HAFNIUM are the Zero Day Common Vulnerabilities and Exposures or CVEs found in the On-Prem version of Microsoft Exchange Server 2013, 2016, and 2019 and the associated exploitation of these CVE's by the threat actors (now not just limited to the Hafnium group). These CVEs are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.
The other element that makes up this incident is the exploitation of these CVEs and the associated on-going possibility of exploitation through web shells used to gain access to compromised systems.
At this point, I should mention, if you have the On-Prem version of Microsoft Exchange Server 2013, 2016, or 2019 anywhere on your network and you have not patched it, you should immediately do so. Instructions and technical details available here.
Once you have patched, then you should assume breach. You should ensure that you follow the guidance from Microsoft and other partners (listed at the bottom of this article) on searching for Indicators of Compromise (IoCs) on your systems and platforms and within your network. Only by searching for these IoCs will you have the reassurance that you have removed the opportunity for any further cybersecurity incidents to take place.
Why is HAFNIUM so bad?
The combination of elements that have come together in this incident results in a perfect opportunity for threat actors; a state-sponsored group with resources and techniques to hand that are unavailable to the wider community have been able to compromise systems under the radar. At the moment, there is no estimate of how long these techniques were used before being exposed. Once exposed, however, Proof of Concept (PoC) for more general consumption by the broader hacking community were made available. As many as ten different hacking groups worldwide started using them to exploit as many systems as possible before patches were made public and rolled out to the exposed systems across the globe.
Once installed, web shells can remain inactive until invoked by the threat actor. Therefore, even after patching, if the proactive search for IoCs is not undertaken correctly, further exploitation of a network is possible.
This perfect opportunity for threat actors turned into the perfect storm for cybersecurity professionals. Even with the most robust and finely tuned patching program in place, there is no way to defend against Zero-Day exploits until the vendor has published a patch and its been installed. Meaning that even if the time from patch creation to installation is as short as possible, systems may have already been compromised.
"More than 500 email servers in the UK may have been hacked..."
HAFINUM, as we saw with the SolarWinds attack earlier in the year, is the result of a very sophisticated hack with fingers being pointed at state-sponsored threat actors using the tools and protection of the state to create and craft these exploits. This is going to be a continuing challenge for cybersecurity professionals to respond to. The arms race between attacker and defender is, as always, very much on, but there are things that organisations can do to improve their day-to-day security.
As well publicised as HAFNIUM is, Zero-day vulnerabilities made up only approximately 0.4% of vulnerabilities during the past decade. While Zero-Day attacks are real, businesses' main risk is existing vulnerabilities that are actively being exploited in the wild.
To improve your security posture, you would need a strategy of risk mitigation that includes:
- having a program to ensure legacy unsupported systems are upgraded or replaced
- reduction in attack surface through effective access control
- robust and timely patch management
- continual security testing
Security reset for business survival: Your top vulnerabilities
Stuart White, our Penetration Test Team Lead, summarised the latest top five vulnerabilities that our security experts find in our customers' networks, which enable them to break into a corporate network within minutes.
Microsoft 365 and Azure AD Live Hack
Our team show how much data can be breached and exposed by compromising a single account, causing financial and reputation damage.
12 Most Common Vulnerabilities Whitepaper
Read 12 Common Vulnerabilities Found During Penetration Testing to learn more about the sorts of vulnerabilities that you might unknowingly be allowing on your network.