HAFNIUM and SolarWinds Attacks Highlight Lack of Accountability

March 8, 2021 | 3 minute read

On the heels of the SolarWinds supply chain attacks, organizations are again scrambling to assess the impact of a recently disclosed attack attributed to the Chinese state-sponsored HAFNIUM APT group that targets vulnerabilities in Microsoft Exchange servers with two zero-day exploits. Perhaps it’s time we accept that there’s a war going on, and that this war is being fought on the backs of commercial companies who are targeted by sophisticated, military-grade offensive campaigns.

It was reported that, much like the SolarWinds event, the HAFNIUM attacks likely affected tens of thousands of organizations in both the public and private sectors - including an estimated 30,000 government organizations. In both cases, a wide range of traditional and NextGen security solutions proved ineffective in protecting organizations against the operation. 

This most notably includes Microsoft Security, who failed to defend against the HAFNIUM attacks which exploited weaknesses in their own product line. Based on information provided by Microsoft, customers using Microsoft ATP had no protection against the attack against Microsoft Exchange services, and Microsoft hasn’t released any guidance regarding what exactly they intend to do to fix this situation. 

Furthermore, Microsoft recently admitted they would not have been aware of the SolarWinds attacks had it not been for a chance observation by an employee at security firm FireEye and subsequent intelligence sharing that brought the attacks to their attention: “Without this transparency, we would likely still be unaware of this campaign,” Microsoft President Brad Smith told Congress in testimony about the SolarWinds attacks in February.

This is not the first time Microsoft products have been subject of a vulnerability exploit, and it won’t be the last. Organizations deserve more from the vendors that provide security solutions, especially if those solutions are supposed to protect their own operating systems and other software offerings from attacks. 

If Microsoft wants to be a leader in the security space, they should demand more of themselves and so should their customers. Most companies don’t have the luxury of being a massive conglomerate with infinite access to the market like Microsoft. Being a larger player in the business systems space and offering security as an add-on at little-to-no cost by way of licensing bundles (as with the notorious E5 license) demands that security offerings be at least minimally effective - especially in defending their own products and services. 

The fact that an attack was conducted by a nation state doesn’t mean the attack was indefensible. It simply means that the adversary is capable and that with the right cybersecurity technology the customer could have been protected. A capable adversary is not an excuse for failing to protect customers at such a massive scale, or to downplay that failure by glorifying the assumed prowess of the attackers. That’s an unacceptable surrender mentality that fails customers, and if that’s Microsoft’s position, they should simply quit the cyber security business and focus on fixing their software.

Everyone fails, but not everyone learns from their failures. Not everyone takes a ‘miss’ as a personal offense that they must address and then puts pressure on themselves to assure they are successful against the next attack. It’s time we stopped compromising our expectations from those who proclaim they protect us and care about the integrity of their software but fail to deliver. We need to see this in practice when and where it counts: in protecting customers.

For example, Apple and Google don’t make security software, but they do focus on making their software as secure as possible. They have teams looking for vulnerabilities and they pay out significant bounties for anyone who finds them. And they don’t have the audacity to ask us to use their software to protect against their own failings. They work to make their own software and operating systems as good as they can and as safe as they can. 

Microsoft Security was clearly incapable of protecting tens-of-thousands of Microsoft Exchange customers against the HAFNIUM attacks despite what would seem to be an obvious advantage in defending one of their own offerings. Like the SolarWinds attacks, they admitted publicly they simply could not detect the HAFNIUM operation. Perhaps Microsoft should take yet another page out of Apple's playbook and focus on the safety and protection of their products, and leave the protection game to the security pros.

Have we simply given up on software being secure? Have we become too accustomed to the fact that there will be vulnerabilities in the software we use? Does this complacency mean providers like Microsoft are not feeling sufficient pressure to assure that the next Exchange vulnerability or the next Eternal Blue exploit doesn’t happen again? Microsoft has made no commitment that this vulnerability will not  happen again.

The Cybereason Advantage: Commitment to the Customer

Unlike other solutions in the market, the Cybereason Defense Platform was designed by experts in defending against nation-state offensive operations and takes an operation-centric approach to security that detects attacks earlier so security teams can remediate faster, long before an attack escalates to the level of a major beach event. 

That’s why we consistently succeed in protecting our customers against advanced adversaries: for us, we either win with and for our customers, or we have no hope of retaining those customers. This is in contrast to companies like Microsoft who enjoy huge market share and leverage their might to put economic pressure on customers to upsell them with other products and services, and then use those relationships to escape accountability when they can’t deliver on their promises.

Cybereason protected all of our customers from both the SolarWinds and HAFNIUM attacks. We protected them not only because we deliver a solution that has the ability to detect advanced attacks earlier and remediate against them faster, but because our core values as a company necessitate that we protect our customers above all else.

Learn How to Defend Against Attacks Such As SolarWinds and HAFNIUM

Sign up for our next Attack Simulation, it's an inside look at how these multi-stage malicious operations work and how a Cybereason defender can break the kill chain and end the attack.

Cybereason Security Team
About the Author

Cybereason Security Team

The Cybereason Security Team champions cyber defenders by providing future-ready attack protection that unifies security from the endpoint, to the enterprise, to everywhere the battle moves. The Cybereason Defense Platform combines the industry’s top-rated detection and response (EDR and XDR), next-gen anti-virus (NGAV), and proactive threat hunting to deliver context-rich analysis of every element of a Malop (malicious operation). The result: defenders can end cyber attacks from endpoints to everywhere.

All Posts by Cybereason Security Team