Hafnium hack poses extended threat

IT teams have a long road ahead of them as they work to find and root out all vestiges of the Hafnium hack in their Microsoft Exchange systems.

Government IT teams still reeling from the massive supply chain hack involving SolarWinds are now tasked with evicting any adversaries that penetrated their networks through recently discovered vulnerabilities in Microsoft's Exchange software.

While updating software will protect systems not yet affected, "patching and mitigation is not remediation if the servers have already been compromised," the National Security Council said in a March 5 tweet. "It is essential that any organization with a vulnerable server take immediate measures to determine if they were already targeted."

Agencies that do not find and root out all vestiges of the Hafnium hack will leave themselves open to the continuing attacks from previously installed backdoors. In fact, other bad actors are starting to take advantage of Exchange Server vulnerabilities. “Four more groups have joined in, and the original Chinese hackers have dropped the pretense of stealth and increased the number of attacks they’re carrying out,” according to a March 6 report in MIT’s Technology Review.

The Cybersecurity and Infrastructure Security Agency has posted a Remediating Microsoft Exchange Vulnerabilities web page that provides specific steps both leaders and IT security staff should take to protect their systems. Previously, CISA posted a script that allows potentially impacted organizations to scan their Exchange log files for indicators of compromise,

A CISA spokesman said that the agency has received reports from a "majority" of civilian agencies. "Currently, agencies continue to patch affected servers and investigate for indications of compromise," he continued.

A spokesman for the Pentagon said that the Defense Department "currently assessing our networks for any evidence of impact. We are taking all necessary steps to identify and remedy any possible issues related to this situation."

Independent security researcher and journalist Brian Krebs reported in his blog that up to 30,000 organizations in the U.S. may have been affected by the vulnerabilities.

This article was first posted on FCW, a Defense Systems partner site.