Skip to main content

Chinese hackers exploited Microsoft Exchange flaw to target European Banking Authority servers

The European Banking Authority has confirmed that hackers recently compromised its email servers and possibly accessed personal details of users after exploiting security flaws in Microsoft Exchange.

Last Tuesday, Microsoft’s Threat Intelligence Center released a report on Hafnium, a China-based hacker group which is in the business of targeting U.S.-based organisations across all industries using leased virtual private servers (VPS) in the U.S. Its list of victims include infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs.

Recently, Hafnium exploited previously-unknown vulnerabilities in Microsoft’s on-premises Exchange server software and also used stolen credentials to infiltrate Exchange servers owned by a number of organisations worldwide.  According to Microsoft, after infiltrating an Exchange server, Hafnium would create a webshell to control the compromised server remotely, and then use the remote access to steal data from the network.

Microsoft has released security updates to help organisations defend against such attacks launched by Hafnium, but the move seems to have come a little too late.  According to security researcher Brian Krebs, the Chinese hacker group successfully hacked at least 30,000 organisations across the U.S., and is moving quickly to target as many organisations worldwide as possible before the vulnerable Exchange servers are patched by their owners.

Two cyber security experts also told Krebs that Hafnium has taken control over hundreds of thousands of Microsoft Exchange servers worldwide. The numbers indicate that this hacking attack is several times worse compared to the successful exploitation of a vulnerability in Solarwinds’ Orion software by Russian hackers which affected 18,000 organisations worldwide.

Last Sunday, the European Banking Authority, the Paris-based regulatory agency of the European Union which regulates European banks on standards like transparency and strong capital structures, said a cyber attack compromised its Microsoft Exchange servers and enabled hackers to gain access to personal data in emails that were stored in the targeted servers. To mitigate the breach, EBA quickly took the servers offline and launched an investigation into the incident.

In another notification it released this Monday, EBA said it successfully secured its email infrastructure and could confirm that hackers did not exfiltrate any data from the affected servers and that the breach was only limited to its email servers. The agency released another notification today to advise users that its email communications services have been restored.

“The European Banking Authority (EBA) has established that the scope of the event caused by the recently widely notified vulnerabilities was limited and that the confidentiality of the EBA systems and data has not been compromised. Thanks to the precautionary measures taken, the EBA has managed to remove the existing threat and its email communication services have, therefore, been restored.

“Since it became aware of the vulnerabilities, the EBA has taken a proactive approach and carried out a thorough assessment to appropriately and effectively detect any network intrusion that could compromise the confidentiality, integrity and availability of its systems and data.

“The analysis was carried out by the EBA in close collaboration with the Computer Emergency Response Team (CERT-EU) for the EU institutions, agencies and bodies, the EBA’s ICT providers, a team of forensic experts and other relevant entities. Besides re-securing its email system, the EBA remains in heightened security alert and will continue monitoring the situation,” it said.

Commenting on the widespread hacking of vulnerable Microsoft Exchange servers worldwide, Mark Bower, SVP at Comforte AG, told TEISS that the recent threat to Microsoft Exchange servers has the potential to go far beyond just email itself. CISA’s recent guidance indicates the potential for server and downstream system compromise which is extremely concerning for leaders of affected organisations.

“The capacity for attackers to extract sensitive data from emails, spreadsheets in mailboxes, insecure credentials in messages, as well as attached servers presents an advanced and persistent threat with multiple dimensions. This is yet again a reminder to take steps to discover sensitive data exposure, protect it, and ensure the security isn’t limited to infrastructure and perimeter controls that were no barrier to this extensive and damaging attack. I predict affected entities and their supply chain partners will see persistent secondary impact as a result over the a long period of time,” he added.

ALSO READ: Malaysia Airlines flyers impacted in 9-year-long supplier data breach


All rights reserved Teiss Recruitment Ltd.