Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Governance & Risk Management

European Banking Authority Sustains Exchange Server Hack

Agency Is the Latest Victim of Attacks Exploiting Newly Exposed Flaws
European Banking Authority Sustains Exchange Server Hack

A Microsoft Exchange Server at the European Banking Authority, a regulatory agency of the European Union, was hacked. But the agency says there are no indications of data exfiltration.

See Also: Live Webinar | Software Security: Prescriptive vs. Descriptive

An investigation is continuing, and the agency says it's deployed additional security controls to the affected server.

In a Tuesday update, the European Banking Authority said the hackers didn't access any sensitive data. The agency says it has restored the compromised email server and is collaborating with the Computer Emergency Response Team - EU and a team of forensic experts to investigate the attack.

"The scope of the vulnerability was limited and the confidentiality of the EBA systems and data has not been compromised," an EBA spokesperson tells Information Security Media Group. "We would also like to note that email communication has been restored."

The European Banking Authority is the latest organization to acknowledge it's been compromised by exploitation of its Microsoft Exchange Servers, which Microsoft attributes to a suspected China-based group exploiting four zero-day flaws in Microsoft Exchange email servers, which are now patched.

Microsoft has identified the four vulnerabilities in Exchange as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.

On Thursday, security firm FireEye reported that hackers have targeted units of local government in the U.S. by attempting to exploit unpatched Microsoft Exchange vulnerabilities (see: Hackers Exploit Exchange Flaws to Target Local Governments).

At least 30,000 organizations across the United States have been hacked as a result of the vulnerability exploits, according to security blogger Brian Krebs, who cited unnamed U.S. national security advisers.

China Link

Microsoft attributes the attacks to a China-based advanced persistent threat group it calls Hafnium. It portrays the attacks as "limited and targeted."

Tom Burt, a Microsoft vice president, noted Hafnium has been exploiting the vulnerabilities in Exchange servers to exfiltrate sensitive data from infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and nongovernment organizations.

Other security researchers have also warned of upticks in hacking activity exploiting the vulnerabilities.

Slovakian security company ESET, for example, tweeted that CVE-2021-26855 has been used by three hacking groups: LuckyMouse, Tick and Calypso. ESET noted most of the organizations targeted are in the U.S., but others in Europe, Asia and the Middle East also have been hit.

A spokesperson for the Chinese government told Reuters that the nation was not involved in the attacks.

Targeted Attacks

On Thursday, the U.S. Cybersecurity and Infrastructure Agency warned that scanning activity for the vulnerabilities had picked up in recent days. It stressed that federal agencies and private firms should apply patches or disconnect internet-facing systems until the bugs are fixed.

CISA also warned that attackers could use the vulnerabilities to execute arbitrary code on vulnerable Exchange Servers to gain persistence in the vulnerable systems. The hackers can then access files and mailboxes on the servers as well as credentials, the agency added.

John Hultquist, vice president of analysis at Mandiant Threat Intelligence, notes attackers can also leverage the vulnerabilities for extortion and to disrupt systems.

"Though broad exploitation of the Microsoft Exchange vulnerabilities has already begun, many targeted organizations may have more to lose as this capability spreads to the hands of criminal actors who are willing to extort organizations and disrupt systems," Hultquist says. "The cyberespionage operators who have had access to this exploit for some time aren’t likely to be interested in the vast majority of the small- and medium-sized organizations. Though they appear to be exploiting organizations en masse, this effort could allow them to select targets of the greatest intelligence value."


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent

Asokan is senior correspondent for Information Security Media Group's global news desk. She has previously worked with IDG and other publications where she reported on developments in technology, minority-rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.