European Banking Authority discloses Exchange server hack

Posted by & filed under Security News.

The European Banking Authority (EBA) took down all email systems after their Microsoft Exchange Servers were hacked as part of the ongoing attacks targeting organizations worldwide.

EBA is part of the European System of Financial Supervision and it oversees the integrity orderly functioning of the EU banking sector.

“The Agency has swiftly launched a full investigation, in close cooperation with its ICT provider, a team of forensic experts and other relevant entities,” EBA said.

“The EBA is working to identify what, if any, data was accessed. Where appropriate, the EBA will provide information on measures that data subjects might take to mitigate possible adverse effects.”

An initial advisory published Sunday said that the attackers might have gained access to personal information stored on the email servers.

However, an update issued today added that forensic experts had found no signs of data exfiltration.

“The EBA investigation is still ongoing and we are deploying additional security measures and close monitoring in view of restoring the full functionality of the email servers,” the EU agency said.

“At this stage, the EBA email infrastructure has been secured and our analyses suggest that no data extraction has been performed and we have no indication to think that the breach has gone beyond our email servers.”

Widespread attacks targeting organizations worldwide

Last week, Microsoft patched multiple zero-day vulnerabilities affecting on-premises versions of Microsoft Exchange Server and exploited in ongoing attacks coordinated by multiple state-sponsored hacking groups.

At first, Microsoft only linked the attacks to a China state-sponsored hacking group dubbed Hafnium.

In an update to the blog post, the company says several other threat actors exploit the recently patched Exchange flaws in similar campaigns.

While Hafnium’s targets’ identities are not yet known, Microsoft has shared a list of previously targeted industry sectors.

“Historically, Hafnium primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs,” Microsoft VP Tom Burt said.

The Chinese-backed APT27, Bronze Butler (aka Tick), and Calypso are also attacking unpatched Exchange servers, according to Slovak internet security firm ESET, who says that it also detected other state-sponsored groups it couldn’t identify.

CISA also warned of “widespread domestic and international exploitation of Microsoft Exchange Server vulnerabilities” on Saturday, urging admins to use Microsoft’s IOC detection tool to detect signs of compromise in their organizations.

The attackers deploy web shells that allow them to gain remote access to a compromised server and to the internal network, even after the servers are patched.

Microsoft has updated their Microsoft Safety Scanner (MSERT) tool to detect web shells deployed in these attacks and a PowerShell script to search for indicators of compromise (IOC) in Exchange and OWA log files.

 

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.