European Banking Authority Reveals Microsoft Exchange Hack
EBA’s email servers have been compromised in a global Microsoft Exchange cyberattack.
Context
The US is showing serious concern over a cyberattack on Microsoft’s Exchange email software that the tech company has blamed on China. The attack affected thousands of on-premises email customers, small businesses, enterprises, and government organizations around the world.
Patching and mitigation is not remediation if the servers have already been compromised. It is essential that any organization with a vulnerable server take immediate measures to determine if they were already targeted. https://t.co/HYKF2lA7sn
— National Security Council (@WHNSC) March 6, 2021
On March 7th, the European Banking Authority (EBA) released an official statement saying it has removed all e-mail systems after their Microsoft Exchange Servers were hacked as part of the continuous attacks. EBA is part of the European System of Financial Guidance and it manages the stability organized performance of the EU banking sector.
The European Banking Authority (EBA) has been the subject of a cyber-attack against its Microsoft Exchange Servers, which is affecting many organizations worldwide. The Agency has swiftly launched a full investigation, in close cooperation with its ICT provider, a team of forensic experts, and other relevant entities.
Additionally, EBA initially stated that the hackers may have gotten to individual details kept on the e-mail servers. However, an upgrade released yesterday pointed out that no indications of information exfiltration have been discovered by forensic specialists.
At this stage, the EBA email infrastructure has been secured and our analyses suggest that no data extraction has been performed and we have no indication to think that the breach has gone beyond our email servers.
Who is Behind the Attacks?
The Microsoft Threat Intelligence Center (MSTIC) identified the new threat actor as “Hafnium” and they believe it operates from China. Hafnium has been attacking infectious disease researchers, law firms, universities, defense contractors, policy think tanks, and NGOs across the US aiming to exfiltrate sensitive information. The hackers access not only gained access to the victims’ emails but also to their entire networks using four distinct zero-day exploits.
According to Tom Burt, Corporate Vice President, Customer Security and Trust at Microsoft,
Historically, Hafnium primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. While Hafnium is based in China, it conducts its operations primarily from leased virtual private servers (VPS) in the United States.
While conducting their research, MSTIC discovered that Hafnium would first gain access to an Exchange Server either with stolen passwords or by using the previously unknown vulnerabilities to pass for someone who should have access.
Heimdal® Email Security
- Completely secure your infrastructure against email-delivered threats;
- Deep content scanning for malicious attachments and links;
- Block Phishing and man-in-the-email attacks;
- Complete email-based reporting for compliance & auditing requirements;
Initially, Microsoft believed the attacks are only connected to Hafnium, but in a recent blog update, the tech giant says several other threat actors exploit the recently patched Exchange flaws in similar campaigns.
Microsoft has updated their Microsoft Safety Scanner (MSERT) tool to detect web shells deployed in these attacks and a PowerShell script to search for indicators of compromise (IOC) in Exchange log files.
What’s more, following these attacks, CISA (Cybersecurity and Infrastructure Security Agency) has published a Remediating Microsoft Exchange Vulnerabilities guide and strongly urges all organizations to address the recent Microsoft Exchange Server product exploits as soon as possible.