HAFNIUM Exploits Live On

The Prometei Botnet is not new. Like most malware and exploits, it continues to adapt and change over time. What is concerning is what is happening now. Our latest research demonstrates  how Prometei has evolved and reveals that current versions of Prometei are now exploiting some of the vulnerabilities in Microsoft Exchange that were part of the recent HAFNIUM attacks.

We will continue to deal with lingering effects from these specific Microsoft Exchange vulnerabilities, but—more importantly—we will continue to deal with vulnerabilities in general and that requires a better approach to cybersecurity.

The HAFNIUM attack was discovered earlier this year in the wake of the SolarWinds attacks that was unearthed in late 2020. Both of these attacks impacted tens or hundreds of thousands of systems around the world, but they also have something else in common: both of them have been attributed to nation-state adversaries. The US Intelligence Community has indicated that Russia is behind the SolarWinds attack, and that China is responsible for the HAFNIUM attacks. 

As ominous as it seems, though, a nation-state attack is not an excuse. Victims of cyberattacks and the cybersecurity vendors that failed to protect them like to use “nation-state attack” as a crutch—as if the fact that the attack was perpetrated by Russia, or China, or Iran, or North Korea, or any other nation makes it significantly different than a traditional cyberattack or somehow justifies why the attack succeeded.

The suggestion is that the attack is simply too advanced and too sophisticated to effectively defend against because it came from a nation state. The reality is that the line between nation-state attacks and cybercrime has blurred in recent years, and—ultimately—it is still a cyberattack and organizations need to be able to detect and respond to the attack, nation-state or not. 

The part of the Prometei research that stands out is the use of exploits from the HAFNIUM attack targeting vulnerabilities in Microsoft Exchange. Microsoft has developed and released patches, but it is not always that easy. There are sometimes mitigating factors that make it challenging—or impossible—for organizations to apply patches.

Even when they can apply the patches, though, it takes time and organizations have to weigh the risk and potential interruption of business against the possibility that the vulnerability will be exploited. Cybercriminals know all of that, and they are actively seeking out systems that remain vulnerable. 

The reality, though, is that vulnerabilities are a fact of life. The vulnerabilities being targeted exist in Microsoft code and Microsoft bears some responsibility for that. Every vendor has an obligation to develop products that are secure and to take steps to identify and patch vulnerabilities. However, there is no such thing as perfect code.

Microsoft could start from scratch and build their products using secure software development practices and vulnerabilities will still be found eventually. Microsoft will continue to be a target because of the sheer size of the attack surface. Microsoft and its products are virtually ubiquitous, so it makes sense that attackers—both nation-states and cybercriminals—will focus their efforts there.

A common denominator between Prometei, HAFNIUM, SolarWinds, and many other attacks is that they target Microsoft products. You can use Microsoft operating systems and software, just don’t rely on them to protect you from the flaws in their own products.

The Prometei Botnet research and the aftermath of the SolarWinds and HAFNIUM attacks has reaffirmed my belief that effective cybersecurity takes a different mindset. It’s not about patching vulnerabilities—although that is very important—and it’s not even about Microsoft, per se. 

We need to focus on proactive Indicators of Behavior (IOBs) rather than continuing to rely on backward-looking Indicators of Compromise (IOCs) alone, so we can empower organizations to defend themselves by quickly detecting and responding to threats. It’s about understanding the way cybercriminals and nation-state attackers think and act, and having the tools in place to recognize suspicious and malicious activity.

Lior Div
About the Author

Lior Div

Lior Div, CEO and co-founder of Cybereason, began his career and later served as a Commander in the famed Unit 8200. His team conducted nation-state offensive operations with a 100% success rate for penetration of targets. He is a renowned expert in hacking operations, forensics, reverse engineering, malware analysis, cryptography and evasion. Lior has a very unique perspective on the most advanced attack techniques and how to leverage that knowledge to gain an advantage over the adversary. This perspective was key to developing an operation-centric approach to defending against the most advanced attacks and represents the direction security operations must take to ensure a future-ready defense posture.

All Posts by Lior Div