Oh, Hafnium. Why couldn’t you remain a lustrous, silvery-gray, tetravalent transition metal whose characteristics were so irrelevant to our daily lives (except when it comes to semiconductor fabrication, amirite folks?) that they could’ve remained a perpetual Wikipedia search away for most of us? Why, instead, did you have to reveal yourself as the namesake of a suspected state-sponsored APT cyber espionage group based in China that has just compromised 250,000 on-prem Exchange servers and counting, with multiple zero-day exploits designed to gain access, self-escalate account permissions, impersonate employees, install additional malware, as well as steal any and all information it can find from there?
Microsoft’s response to HAFNIUM
Brad and Aaron reconvened to discuss the fallout from this massive attack, and the significant efforts that Microsoft has made to mitigate it. These efforts include updates for every version of Microsoft Exchange going back to 2010, which led to a discussion of two competing sets of business tensions when it comes to infrastructure decision-making. First, which is the greater threat to business continuity? A cyberattack using a vulnerability that has just been patched? Or a new security patch breaking core business functionality?
This is not a tension that can ever be definitively resolved – a zero-day attack that is only discovered after being exploited in the wild is a worst-case scenario and must have its delivery vector patched quickly. This requires a shortened or non-existent testing schedule for any OS and software updates, which means that you, the end user, will be the de facto beta tester for any mitigation and will deal with the consequences of anything that breaks.
Of course, the other inexorable concern is that an unpatched zero-day exploit doesn’t particularly care who originally used it or why. Vulnerabilities that came from the arsenal of a state-sponsored APT group, either for narrow and targeted espionage purposes or mass data harvesting purposes, won’t remain their exclusive possession. Once the vulnerability goes public, the genie is out of the bottle, and any opportunistic criminal enterprise may capitalize on the virtually guaranteed attack surface presented by some organizations who are unwilling or unable to install security patches quickly. Hence, the predictable ransomware attacks that have ensued in Hafnium’s wake, using these vulnerabilities as a delivery vector for more conventional extortion schemes.
Fun fact: As I was editing this blogpost, several members of my team and I were peppered with spear phishing emails. And the depressing saga of modern cybersecurity marches on.
Security risk: on-prem vs cloud
Brad and Aaron also discussed the inflection point that necessarily comes with a cyberattack targeting on-prem business infrastructure such as Exchange. Every organization must now weigh the pros and cons of switching from on-prem Exchange to Office 365, taking the new threat landscape into account.
Aaron focuses on the risk calculation – essentially, the question of whether outsourcing the network security of your critical infrastructure to a cloud provider, even one as broadly trusted as Microsoft, is the safest choice. This is the choice that Prowess and SmartDeploy made a few years ago, as have many other organizations, but it does put a certain amount of trust in another company’s cyberattack defense.
And as Brad noted, for hybrid Active Directory scenarios, making this switch is not possible without leaving a single Exchange server behind on-prem. As his colleague, former multi-year Microsoft MVP Steve Goodman, notes in this editorial, “Unfortunately, though, every organization that uses Microsoft 365 and uses Azure AD Connect to synchronize their Active Directory must keep an Exchange Server running to manage recipient attributes to be fully supported by Microsoft.” And as Goodman argues – this is probably something that Microsoft should be trying to fix right now if they aren’t already.
This is normally where I would pivot to a fun tech story from this week, but alas, the tech news I’ve consumed recently also represents a sobering inflection point with respect to cybersecurity and global technological competition.
Artificial Intelligence in America
The NSCAI, which is the United States’ National Security Commission on Artificial Intelligence, has just delivered their final report on American readiness to compete in the field of Artificial Intelligence (AI), both technologically, and against emerging, AI-driven cybersecurity threats. Their conclusion is lengthy, and worth a read, even if you’re not a lawmaker – especially if you need a reminder of all the ways in which AI (and functionality which resembles AI, but is heavily supported by humans) already exists as a part of your daily life.
The commission concluded that as a nation, we are drastically underinvesting in this area, and will be overtaken by the government of China in AI research if we do not remedy the situation immediately. The commission recommends doubling annual US investment in this field every year for the next decade, establishing a Digital Service Academy (a military academy which would create a pipeline of tech talent for the federal government’s vast tech needs), and generally treating AI as a part of our nation’s critical infrastructure.
The report also speaks at length about the need to ensure that the US works with other nations at upholding democratic norms and human rights when it comes to the use of this emerging technology. This is, I think, a conclusion that can be defended even in the absence of any bellicose impulses toward China or any other nation (although it’s not lost on me that the first two paragraphs of this blogpost discussed three separate cyberattacks attributed to China).
The idea that AI will be a new frontier in which to improve human lives, make more efficient use of resources in a world with a changing climate (not to mention making sure the power stays on even when the weather presents predictable hurdles) is an idea that I basically agree with, even if it comes with a overriding desire that we treat it as an opportunity to reduce the world’s appetite for constant low-level cyberwarfare.
The listener question for this week was for Aaron, and it was basically, “If you were to start over with SmartDeploy, what would you change?” As a member of the SmartDeploy support team, I can confirm this answer is very much worth a listen in the video.
That’s it for March! Another milestone: This is the first blogpost since I started this series which hasn’t mentioned COVID (til now!). The US has amped up its manufacturing rate of every approved vaccine, and the end of the pandemic is getting just a tiny bit closer. Stay safe and patch your servers.