Hafnium and the patch-window asymmetry

Five weeks after the Microsoft Exchange ProxyLogon disclosure, the dust is settling on what may turn out to be the most consequential mass-exploitation event of the decade. What it teaches us is structural, not tactical.

On 2 March 2021, Microsoft disclosed four zero-day vulnerabilities in on-premises Exchange Server. By the end of that week the vulnerabilities had been mass-exploited against tens of thousands of organisations worldwide. By the time most IT teams knew the name ProxyLogon, attackers had already deployed web shells across the unpatched estates of small businesses, local authorities, charities, and law firms across the UK and Europe.

Microsoft attributed the initial activity to a Chinese state-aligned group called Hafnium. Within days, the same exploit chain was being used by criminal groups too, including ransomware operators. CISA issued Emergency Directive 21-02 on 3 March. The NCSC published its own urgent alert the same week. Brian Krebs reported at least 30,000 US organisations compromised within a fortnight.

I want to write about what this episode teaches that the news coverage has largely missed. It is not the technical detail. It is the structural lesson about the patch window that determined who got compromised and who did not.

The asymmetry

When a vendor discloses a vulnerability and ships a patch, three things happen on different timescales.

The patch is published within hours of disclosure. That is the start of the clock.

The customer's window to apply the patch — for an on-prem Exchange server requiring a maintenance window, sometimes a reboot, sometimes a planned outage — is days to weeks. For a small firm with no dedicated IT staff, it can be longer.

The attacker's window to weaponise the patch — to reverse-engineer the fix, work out the underlying flaw, and build a working exploit — used to be measured in weeks. In 2021 it is measured in hours.

That is the patch-window asymmetry. The defender's clock has not got faster. The attacker's clock has. The result is that, for a serious vulnerability in widely-deployed software, there is now a real window in which the attacker has working exploitation and the defender has not yet applied the patch. The Hafnium chain compressed that window to the morning of disclosure. Several of the firms I have helped through compromises in the past month were patched within 72 hours of the advisory. They were already compromised.

What that means in practice

It means that we patched in a reasonable timeframe is no longer a sufficient answer to were we exposed? For internet-facing systems with serious vulnerabilities, the answer to the second question is almost always yes, briefly, even if we did everything right. The question that follows is what would we have detected if compromise occurred during that window? For most of the firms hit by Hafnium, the answer was nothing, and the discovery came weeks later, often via the indicators of compromise tooling Microsoft released or from a customer or partner spotting unusual behaviour.

The structural answer is detection that is independent of known vulnerabilities. The Microsoft IOC tooling helps after the fact. The longer-term answer is monitoring that looks for the behaviour an attacker exhibits once inside, regardless of how they got in. Most small firms do not have this capability. Most do not need to build it themselves — managed detection and response services have matured to a point where this is affordable for businesses of fifty staff and above.

The on-prem question

ProxyLogon also raises an unavoidable question about on-premises Exchange specifically. There are perfectly good reasons a firm might run on-prem mail — sovereignty, latency, integration with other systems, longstanding investment. None of those reasons stop being valid after Hafnium. But running on-prem mail now means committing to a patching cadence and a monitoring discipline that most firms running on-prem mail for cost reasons have not committed to. The arithmetic has shifted. Microsoft 365 has its own compromise patterns, but it is not the customer's responsibility to apply the patch.

For firms still running on-prem Exchange, the questions to ask now are: what is our actual deployment time on a critical patch? (be honest), do we have visibility of what an attacker would do post-compromise?, and if we were compromised between disclosure and patch, would we have any way of knowing?

A pattern, not an event

Hafnium is not the first event of this shape and it will not be the last. The general pattern — patch released, attackers weaponise within hours, slower defenders compromised — will recur. The defenders who already have detection capability that is not vulnerability-specific will catch the post-compromise behaviour. The defenders who do not will discover their compromises weeks later, from outside.

If you take one thing from this post: the patch window matters less than the detection window. Both matter. The patch window you can shrink only so far. The detection window you can shrink considerably further. That is where the marginal effort over the next year is best spent.

What boards should ask this month

Three questions for the next executive briefing.

Were we exposed to ProxyLogon, and if so, for how long? The answer should include a specific time interval from advisory to patch, and a statement about what monitoring covered the gap.

If a similar event happened next month — same shape, different vendor — what would change in our response? If the answer is nothing, we would do the same again, that is a real answer and worth understanding.

What detection do we have that does not depend on knowing what the attacker is looking for? This is the question that separates the firms that will catch the next Hafnium-shape event from the firms that will find out about it from their auditor.

The next mass-exploitation event is already being prepared somewhere. The question is whether we will see it before it sees us.