Microsoft Customers Were Secretly Under Attack For Two Months
Reports of another hidden cyber espionage campaign illustrate the power imbalance between technology titans and their customers
Tens of thousands of small businesses and other organizations have just found out that sophisticated state-sponsored attackers are actively exploiting vulnerabilities in their email systems running Microsoft Exchange Server software. Because of the company’s position of privilege in the technology industry, it is unlikely to suffer any serious consequences for willfully and deliberately allowing the victimization of its customers.
According to reporting from KrebsOnSecurity, researchers from the security firm Volexity initially detected the attacks on January 6, 2021. Though the full reporting lineage is not publicly available, indications are that Microsoft has known about the cyber espionage campaign since at least early February, choosing to privately correct software flaws in obscurity rather than inform its customers of the risks they were operating under. On March 2, 2021, Microsoft released a report on its investigation into the threat actor it dubbed “Hafnium” and issued several emergency patches to correct the associated software deficiencies. Volexity President Steven Adair told KrebsOnSecurity that the cyberespionage group responded to Microsoft’s disclosure by accelerating its attacks indiscriminately, with Adair stating, “The truth is, if you’re running Exchange and you haven’t patched this yet, there’s a very high chance that your organization is already compromised.”
Adair is absolutely correct. Those patches will do nothing to help the organizations already compromised because the Microsoft Exchange Server vulnerabilities allow an attacker to download email inboxes from every account in the organization and provide a pathway to gain control of the computer system running the software. By taking advantage of that pathway, the attacker can then quietly establish persistent access to the organization’s network that no longer depends on exploiting the Exchange Server vulnerabilities.
Technology companies have little incentive to be transparent when problems are found in their products. Microsoft holds no liability for ongoing harm suffered by its customers as a function of its position of dominance and licensing contracts that indemnify it against damage caused by software defects. Instead, liability trickles down, with compromised customers often bearing the brunt of the blame with common admonishments for not applying software patches in a timely manner and for not investing enough in their technology management functions.
By design, companies must accept some responsibility to defend themselves from cyber attackers. Yet, economic factors combined with a disclosure regime that values secrecy over transparency mean that most companies will always find themselves playing catch up regardless of the attention they give to cybersecurity.
Most organizations simply lack the resources to effectively manage their technology environments. According to the Small Business & Entrepreneurship Council, approximately 98% of companies have 100 or fewer employees. Applying workforce statistics that suggest the ratio of technical staff to non-technical staff for an average company is somewhere between 1:20 to 1:40, those small companies likely only have one or two employees remotely capable of defending their technology environments from cyber attacks. In my experience, even those companies capable of employing technical staff often outsource much of their technology and cybersecurity operations to third party service providers that may only commit to providing administrative support on scheduled weekly or biweekly visits. Considering that many of the organizations that host their own Exchange Servers are those that operate in sensitive public sector domains like municipalities, school systems, and law enforcement, their accessibility to qualified professionals capable of responding to Microsoft’s vulnerability disclosure is likely far worse.
Organizations also struggle by the power often bestowed on technology companies through a practice known as responsible disclosure. That practice is largely based on the premise that granting companies some period of time to fix their products before making vulnerabilities public will give them the opportunity to stay ahead of malicious actors who would exploit those flaws after they are disclosed. Unfortunately, there is no consensus within the cybersecurity community on how responsible disclosure applies if attackers are already actively exploiting vulnerabilities when they are discovered. Though Google recommends allowing companies 60 days to fix discovered flaws before publicly disclosing them, it suggests that seven days is more appropriate for “critical vulnerabilities under active exploitation.” Even that much more aggressive timeframe places customers at an extraordinary disadvantage.
It is important to reiterate that the “Hafnium” threat actor is the culprit for the Exchange Server attacks and Microsoft itself is a victim. That fact aside, customers can rightly question the company’s response given the urgency of the problem. Though neither party has disclosed when Microsoft received the initial report from Volexity, the associated vulnerability record was allocated on February 10, 2021. Since, between the two companies, only Microsoft is officially empowered to report the vulnerability as a registered CVE Numbering Authority, it is reasonable to deduce that Microsoft knew about the flaw for at least three weeks prior to public disclosure in addition to any time it took to validate the report. (Update: According to this report, KrebsOnSecurity notes that Microsoft knew about the vulnerabilities “in early January.”) Though earlier disclosure may have made exploits more broadly accessible, it would have also granted researchers and customers the opportunity to rapidly discover and share workaround defenses while waiting for Microsoft to repair its software. Instead, observers can legitimately argue that the chosen path favored Microsoft by disallowing scrutiny while it developed a fix without any rational benefit to its customers in delaying the disclosure.
History suggests that Microsoft will easily weather any potential controversy. Its customers have no practical choice because of how dependent they have become on its products. Some might consider moving to competing email server software, but such a transition is so complex that it would be an inaccessible option for most organizations. Indeed, Microsoft may actually gain from the attack as more of its Exchange Server customers opt to relinquish the responsibility of managing their own equipment and lock their users even tighter to the company by migrating to its cloud-based Microsoft 365 services. Customers simply have very limited leverage with which to hold it accountable for its deficiencies.
Until the technology industry is motivated to address the pervasive power imbalance that make customers subservient to the companies that they license products and services from, organizations must continue to accept most of the responsibility to defend their systems against both product vulnerabilities and malicious threat actors. Those Microsoft customers that manage their own Exchange Server installations have been exposed since at least early January and will continue to be until they act. They should assume that “Hafnium” is already active within their systems. The best advice that the industry can give organizations is to ensure technology products are patched, follow updates on ways to determine if they have been compromised, and seek expert advice to ensure that the threat actor has been excised from their networks.