By: Ravie Lakshmanan
The European Banking Authority (EBA) on Sunday said it had been a victim of a cyberattack targeting its Microsoft Exchange Servers, forcing it to temporarily take its email systems offline as a precautionary measure.
“As the vulnerability is related to the EBA’s email servers, access to personal data through emails held on that servers may have been obtained by the attacker,” the Paris-based regulatory agency said.
EBA said it’s launched a full investigation into the incident in partnership with its information and communication technology (ICT) provider, a team of forensic experts, and other relevant entities.
In a second update issued on Monday, the agency said it had secured its email infrastructure and that it found no evidence of data extraction, adding it has “no indication to think that the breach has gone beyond our email servers.”
Besides deploying extra security measures, EBA also noted it’s closely monitoring the situation after restoring the full functionality of the email servers.
The development is a consequence of an ongoing widespread exploitation campaign by multiple threat actors targeting vulnerable Microsoft Exchange email servers a week after Microsoft rolled out emergency patches to address four security flaws that could be chained to bypass authentication and remotely execute malicious programs.
Microsoft is said to have learned of these vulnerabilities as early as January 5, 2021, indicating that the company had almost two months before it eventually pushed out a fix that shipped on March 2.
The Exchange Server mass hack has so far claimed at least 60,000 known victims globally, including a significant number of small businesses and local governments, with the attackers casting a wide net before filtering high-profile targets for further post-exploitation activity.
The rapidly accelerating intrusions, which also come three months after the SolarWinds hacking campaign, has been primarily attributed to a group called Hafnium, which Microsoft says is a state-sponsored group operating out of China.
Since then, intelligence gathered from multiple sources points to an increase in anomalous web shell activity targeting Exchange servers by at least five different threat clusters toward the end of February, a fact that may have played an important role in Microsoft releasing the fixes a week ahead of the Patch Tuesday schedule.
Indeed, according to the vulnerability disclosure timeline shared by Taiwanese cybersecurity firm Devcore, Microsoft’s Security Response Center (MSRC) is said to have originally planned the patch for March 9, which coincides with the Patch Tuesday for this month.
If the commoditization of the ProxyLogon vulnerabilities doesn’t come as a surprise, the swift and indiscriminate exploitation by a multitude of cybercrime gangs and nation-state hackers alike is sure is, implying that the flaws were relatively easier to spot and exploit.
Stating that the Chinese Exchange server hacks are a major norms violation, Dmitri Alperovitch, chairman of the Silverado Policy Accelerator and co-founder of CrowdStrike, said “while it started out as targeted espionage campaign, they engaged in reckless and dangerous behavior by scanning/compromising Exchange servers across the entire IPv4 address space with web shells that can now be used by other actors, including ransomware crews.”