Hafnium hack poses new long-term threat for already overtaxed cyber workers

Federal agencies still reeling from the effects of a massive hack involving SolarWinds may face a new challenge of evicting any adversaries that breached their networks through recently discovered vulnerabilities in Microsoft's Exchange software.

"Patching and mitigation is not remediation if the servers have already been compromised," the National Security Council said in a tweet on Friday. "It is essential that any organization with a vulnerable server take immediate measures to determine if they were already targeted."

President Joe Biden's National Security Advisor Jake Sullivan also took to Twitter to urge U.S. think tanks and defense industrial base contractors "to patch ASAP."

The rare, public warning from the White House urging public and private entities to update their systems followed the Cybersecurity and Infrastructure Security Agency issuing an emergency directive last week, citing an "unacceptable risk" posed by zero-day exploits discovered in Exchange. Microsoft in a recent blog post said it has observed a China-based group, dubbed "Hafnium," using those vulnerabilities to target U.S. organizations.

CISA's directive instructed all civilian federal agencies to immediately disconnect or update Exchange products running on-premise. It also ordered agency CIOs to conduct digital forensics to find indicators of compromise and report back to CISA by noon on March 5.

A spokesman told FCW today that CISA has received reports from a "majority" of civilian agencies. "Currently, agencies continue to patch affected servers and investigate for indications of compromise," he continued.

A spokesman for the Pentagon told FCW, the Defense Department "is aware of the Microsoft Threat Intelligence Center's report and is currently assessing our networks for any evidence of impact. We are taking all necessary steps to identify and remedy any possible issues related to this situation."

Independent security researcher and journalist Brian Krebs reported in his blog on Friday that up to 30,000 organizations may have been affected by the vulnerabilities.

Chris Krebs, the former CISA director, predicted on Twitter that the hack will "disproportionately impact those that can least afford it," and noted that the vulnerability is "trivial to exploit," meaning that anyone aware of the flaw with a bare minimum of technical ability can implant malware on unpatched systems.