The unfolding Hafnium attack is the latest event in the trend of cyber events. CISO’s are starting to recognize that enterprise cyber security is being redefined to mean me and all my suppliers, or the combination of first and third party cyber risk is enterprise risk. NotPetya demonstrated that breaching a small accounting firm could cost a firm like Merck over $1B in damage.
What lessons is the Hafnium attack teaching?
On Mar 2, threat actors attributed to a new Chinese APT Group, dubbed ‘Hafnium’ by Microsoft, exploited four Exchange server zero-day vulnerabilities. Industry participants have nearly uniformly reported this as a massive attack.
Observation Date |
March 10 |
March 8 |
March 11 |
March 11 |
March 15 |
Total Exchange Servers with OWA Observed |
320,000 |
Not avail |
400,000 |
Not avail |
18,000 |
Vulnerable IP’s |
100,000 |
125,000 |
82,000 |
68,500 |
2,500 |
Mapped Vulnerable Organizations |
14,000 |
Not avail |
Not Avail |
8,911 |
173 |
In a March 15 update, BitSight reported detecting over 300,000 Exchange servers, identifying nearly 65,000 that were vulnerable and over 14,000 (4%) that were still exploited. Twenty-one days after the attack was reported, the number of vulnerable systems has dramatically reduced indicating that organizations are steadily patching systems.
However, as of March 22, 28,500 vulnerable servers remain unpatched. But, patching alone does not remediate downloaded malicious files. The number of patched and exploited servers along with unpatched and exploited servers remains alarmingly high. These organizations are at risk of additional exploitation, including ransomware attacks. These organizations pose a digital supply chain threat to customers and partners relying on them for services.
We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers. Microsoft protects against this threat known as Ransom:Win32/DoejoCrypt.A, and also as DearCry.
— Microsoft Security Intelligence (@MsftSecIntel) March 12, 2021
Caption: BitSight research observes the first seven days of Hafnium’s global impact. Each dot represents an exploited exchange server ] It created significant disruption and continues to pose a significant threat to organizations that were exploited. Importantly this attack, while attributed to a state actor, opened the door for other opportunistic cyber crime actors to exploit the unpatched vulnerabilities.
It is important to keep in mind a truth put forward by security experts and regulators: across all geographies, organizations must confirm that the third parties they do business with have also performed forensics.
BitSight’s research has reported that when attacks like Hafnium occur there are remediation laggards. The laggard group is similarly represented by large and small organizations. Instead of size or resources, we can speculate that it is an organization’s commitment to daily security performance excellence within their own organization and across their digital supply chain. Organizations, large and small, who are slow to patch represent the soft spot within digital supply chains, and can represent a third-party threat within the digital vendor ecosystem.
If you imagine that sensitive data about your company could be found in your vendors' email systems, maybe you should know which of them are at risk
The potential exposure is concentrated mostly in the technology sector, with additional risk from business services, as seen in the table below. It can be inferred that the bulk of these companies are vendors within the digital supply chain, and thus their customers are in some way exposed.
Sector |
Percentage |
Technology |
28.8% |
Manufacturing |
12.1% |
Government/Politics |
11.6% |
Business Services |
11.0% |
Healthcare/Wellness |
9.4% |
This highlights the need for security and third-party risk leaders to rethink enterprise risk to encompass their third parties.
Looking back on prior events such as SolarWinds, NotPetya, BlueKeep, WannaCry, and now Hafnium the question truly is what are the key lessons learned from these events.
The unfolding Hafnium attack is the latest event in the trend of cyber events. CISO’s are starting to recognize that enterprise cyber security is being redefined to mean me and all my suppliers, or the combination of first and third party...
As a recent Forrester report highlighted, there are many cybersecurity ratings available. Security ratings have a valuable place in your overall cyber risk mitigation strategy, for many reasons.
Not all security ratings are equal though.
You can tell a lot about someone by the company they keep, and the same goes for your security ratings partner. All security ratings are not created equal.
© 2021 BitSight Technologies. All Rights Reserved. | Privacy Policy | Security | For Suppliers
Contact Us | BitSight Technologies | 111 Huntington Ave, Suite 2010, Boston, MA 02199 | +1-617-245-0469