European Banking Authority discloses Exchange server hack

European Banking Authority discloses Exchange server hack

The European Banking Authority (EBA) took down all email systems after their Microsoft Exchange Servers were hacked as part of the ongoing attacks targeting organizations worldwide.

EBA is part of the European System of Financial Supervision and it oversees the integrity orderly functioning of the EU banking sector.

“The Agency has swiftly launched a full investigation, in close cooperation with its ICT provider, a team of forensic experts and other relevant entities,” EBA said.

“The EBA is working to identify what, if any, data was accessed. Where appropriate, the EBA will provide information on measures that data subjects might take to mitigate possible adverse effects.”

An initial advisory published Sunday said that the attackers might have gained access to personal information stored on the email servers.

However, an update issued today added that forensic experts had found no signs of data exfiltration.

“The EBA investigation is still ongoing and we are deploying additional security measures and close monitoring in view of restoring the full functionality of the email servers,” the EU agency said.

“At this stage, the EBA email infrastructure has been secured and our analyses suggest that no data extraction has been performed and we have no indication to think that the breach has gone beyond our email servers.”

Widespread attacks targeting organizations worldwide

Last week, Microsoft patched multiple zero-day vulnerabilities affecting on-premises versions of Microsoft Exchange Server and exploited in ongoing attacks coordinated by multiple state-sponsored hacking groups.

At first, Microsoft only linked the attacks to a China state-sponsored hacking group dubbed Hafnium.

In an update to the blog post, the company says several other threat actors exploit the recently patched Exchange flaws in similar campaigns.

While Hafnium’s targets’ identities are not yet known, Microsoft has shared a list of previously targeted industry sectors.

“Historically, Hafnium primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs,” Microsoft VP Tom Burt said.

The Chinese-backed APT27, Bronze Butler (aka Tick), and Calypso are also attacking unpatched Exchange servers, according to Slovak internet security firm ESET, who says that it also detected other state-sponsored groups it couldn’t identify.

CISA also warned of “widespread domestic and international exploitation of Microsoft Exchange Server vulnerabilities” on Saturday, urging admins to use Microsoft’s IOC detection tool to detect signs of compromise in their organizations.

The attackers deploy web shells that allow them to gain remote access to a compromised server and to the internal network, even after the servers are patched.

Microsoft has updated their Microsoft Safety Scanner (MSERT) tool to detect web shells deployed in these attacks and a PowerShell script to search for indicators of compromise (IOC) in Exchange and OWA log files.