The European Banking Authority (EBA) confirmed that they had been a victim of a cyberattack targeting its Microsoft Exchange Servers that forced them to temporarily take its email systems offline as a precautionary measure.
EBA said that as the vulnerability is related to their email servers, the hackers might have accessed the personal data through emails held on that servers.
The regulatory agency has launched an investigation into the incident together with its information and communication technology (ICT) provider, a team of forensic experts, and other relevant entities.
Later, the agency said that they had managed to secure its email infrastructure and that no evidence of data extraction was found.
EBA has restored full functionality of the mail servers, deployed extra security measures and is closely monitoring the situation.
This incident is related to the ongoing widespread exploitation campaign that targets vulnerable Microsoft Exchange email servers a week after Microsoft rolled out emergency patches to address four security flaws that could be used to bypass authentication and remotely execute malicious programs.
Microsoft on becoming aware of these vulnerabilities on January 5, 2021, which was fixed in March. The Exchange Server mass hack has so far targeted around 60,000 known victims globally, including a significant number of small businesses and local governments.
At first, Microsoft linked the attacks to a China state-sponsored hacking group dubbed Hafnium. In an update, the company said that several other threat actors exploit the recently patched Exchange flaws in similar campaigns.
Hafnium primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.
According to Slovak internet security firm ESET, the Chinese-backed APT27, Bronze Butler (aka Tick), and Calypso are also attacking unpatched Exchange servers.
CISA also warned of “widespread domestic and international exploitation of Microsoft Exchange Server vulnerabilities.”
The attackers deploy web shells that allow them to gain remote access to a compromised server and to the internal network, even after the servers are patched.
Microsoft has updated their Microsoft Safety Scanner (MSERT) tool to detect web shells deployed in these attacks and a PowerShell script to search for indicators of compromise (IOC) in Exchange and OWA log files.
Image Credits : Euractiv