Three Red (Chinese) Flags That Microsoft Should Have Noticed

UncategorizedLeave a comment

Three Red (Chinese) Flags That Microsoft Should Have Noticed

The recent, so called “HAFNIUM breach” of Microsoft Exchange servers could have been avoided if only Microsoft had been better attuned to how sovereign hackers think, act and attack. Every indication is that this hack resulted from China, but it was only a matter of time that one of the world’s dark corners would exploit these vulnerabilities. Compared to the financial and reputational damage to its clients and to Microsoft, these liabilities could have been reduced, maybe avoided altogether. Now Microsoft is scrambling (AGAIN) to contain the damage and explain how this will never happen again.  Compared to their potential liabilities (and financial damages) Microsoft and clients could have spent pennies on the dollar to remedy and protect. 

There were several red flags that a smart system could have detected to stop the data theft. First red flag, MS Exchange servers typically access only other mail servers and Microsoft servers for updates. But the hackers surmised that MEGA, a file-sharing site that is not a mail server, was also in the loop.  Sending mail to MEGA sites should not have been allowed from a Microsoft Exchange server.

Second red flag, mail server protocols, typically SMTP, are not used by the MEGA site and therefore, data should not have been allowed to be transferred from Exchange servers to MEGA. Such communication should be blocked by a simple firewall rule.

Third red flag, when sending mail data there is an expected distribution to different servers. For example, it would be unusual – and suspicious – if a large volume of data is sent to a single IP address, even over a number of days or longer periods of time. Inventive monitoring and control techniques would have detected, displayed and delayed massive data downloads.

Microsoft was most likely aware of the zero-day exploits, security issues in their system. Had they shared these vulnerabilities and avoided the ‘hope’ strategy, Microsoft could have protected their client information by:

  • Blacklist of non-trustworthy IP addresses distributed among clients, such as the addresses of the virtual private servers (VPSs) used by the hackers;
  • Rules that deny Exchange servers access to servers other than other mail servers or Microsoft servers for downloading software updates; and
  • Checks for abnormalities in the volume of data exiting any Exchange server to a single IP address. Once the limit is reached, the system would report and stop the transmission of data, capping the damage.

Solid enterprise systems must include ‘zero trust’ barriers that depend on monitoring and analysis techniques that are not just a step ahead, but a completely new approach to how network security should function in the operation of data transmission and VPN sustainability. 

Leave a Reply