What the HAFNIUM Attack Tells Us About On-Premise and Hybrid Solutions

On March 2nd 2021, Microsoft announced that there were multiple zero-day exploits being used to attack on-premise versions of the Microsoft Exchange server (2010-2019). A threat actor named HAFNIUM was actively taking advantage of these vulnerabilities, affecting thousands of businesses that use on-premise and hybrid deployments. Exchange Online, the cloud-based version of the service does not appear to be affected.

The vulnerability means that the hackers can access email accounts, hijack servers, steal data and more importantly, they have the ability to install malware to facilitate long term access to their victims’ environments.


According to Microsoft, HAFNIUM is a sophisticated group of hackers who run long cyber-espionage campaigns, primarily against the United States. When hackers like this are able to execute large scale attacks, it often leads to other cyber hackers exploiting the situation to their advantage, making patching a little more difficult on-premise.

How detrimental is a ‘zero-day exploit’ for on-premise and hybrid systems?

A zero-day exploit refers to a cyber attack that happens before a vendor is made aware of the issue. Normally, a patch would be made ready when a vulnerability was detected before it could be exploited by cybercriminals; however in this case, HAFNIUM detected the weakness in the system first and were able to capitalise on it before a patch could be made. Unfortunately, because the weakness has already been exploited upon discovery, there’s a bigger increase in downtime whilst trying to patch the issue.

This attack has highlighted the larger issue when vulnerabilities are detected in on-premise solutions. Manual patching is a time-consuming process that can mean there is significant downtime that can cost your business; moreover, there’s a risk to your other on-premise solutions that may also be affected by the exploit. Because of this, fixes that might be applied may also not entirely solve the problem because servers may have been backdoored or compromised in that time.

In a tweet, the National Security Council said “Patching and mitigation is not remediation if the servers have already been compromised. It is essential that any organization with a vulnerable server take immediate measures to determine if they were already targeted.”

The increased downtime due to the manual patching of on-premise systems and the risk to other on-premise solutions can have a critical impact on your business. Essentially, this attack has shown one of the major risks of adopting on-premise or hybrid systems for your organisation.

Why wasn’t Microsoft Exchange Online affected?

The cyber criminals targeted on-premise versions of the application so any applications that were on the cloud weren’t affected. Using cloud-based applications like SharePoint or M365 alleviate the pressure that attacks like this can cause for you.

Having your data on cloud means that in the event of breaches like this, the onus of patching the breach is on the owner of that server. This means downtime is significantly decreased but also, moving database applications and services to the cloud will naturally mean that constantly updating the level of security on the cloud is a high priority for the platform and all end-users.

Whilst attacks like these may not be 100% preventable, a breach on a cloud service versus on-premise or hybrid systems is less of a headache to handle for the organisation thanks to automatic updates and fast response times versus the manual nature of on-premise.

Speak to us about moving to the cloud

If this attack has made you reconsider your options when it comes to moving to the cloud, our experts are more than ready to help you with any questions. Contact our cloud experts today to find out how a move to the cloud could futureproof your business and bolster its security. If you’re also interested in our cyber security services, you can download our brochure here.