Microsoft Exchange Hackers Also Breached European Banking Authority

The European Banking Authority (EBA) on Monday said it had been
a victim of a cyberattack targeting its Microsoft Exchange Servers,
forcing it to take its email systems offline as a precautionary
measure temporarily.

“As the vulnerability is related to the EBA’s email servers,
access to personal data through emails held on that servers may
have been obtained by the attacker,” the Paris-based regulatory
agency said^[1].

EBA said it’s launched a full investigation into the incident in
partnership with its information and communication technology (ICT)
provider, a team of forensic experts, and other relevant
entities.

In an update^[2]
issued later in the day, the agency said it had secured its email
infrastructure and that it found no evidence of data extraction,
adding it has “no indication to think that the breach has gone
beyond our email servers.”

Besides deploying extra security measures, EBA also noted it’s
closely monitoring the situation after restoring the full
functionality of the email servers.

The development is a consequence of an ongoing widespread exploitation
campaign^[3] by multiple threat
actors targeting vulnerable Microsoft Exchange email servers a week
after Microsoft rolled out emergency patches to address four
security flaws that could be chained to bypass authentication and
remotely execute malicious programs.

Microsoft is said to have learned of these vulnerabilities as
early as January 5, 2021, indicating that the company had almost
two months before it eventually pushed out a fix that shipped on
March 2.

The Exchange Server mass hack has so far claimed at least 60,000 known victims
globally^[4], including a significant
number of small businesses and local governments, with the
attackers casting a wide net before filtering high-profile targets
for further post-exploitation activity.

The rapidly accelerating intrusions, which also come three
months after the SolarWinds hacking campaign, has been primarily
attributed to a group called Hafnium^[5], which Microsoft says is
a state-sponsored group operating out of China.

Since then, intelligence gathered from multiple sources points
to an increase in anomalous web shell activity targeting Exchange
servers by at least five different threat clusters toward the end
of February, a fact that may have played an important role in
Microsoft releasing the fixes a week ahead of the Patch Tuesday
schedule.

Indeed, according to the vulnerability disclosure timeline^[6] shared by Taiwanese
cybersecurity firm Devcore, Microsoft’s Security Response Center
(MSRC) is said to have originally planned the patch for March 9,
which coincides with the Patch Tuesday for this month.

If the commoditization of the ProxyLogon vulnerabilities doesn’t
come as a surprise, the swift and indiscriminate exploitation by a
multitude of cybercrime gangs and nation-state hackers alike is
sure is, implying that the flaws were relatively easier to spot and
exploit.

Stating that the Chinese Exchange server hacks are a major norms
violation, Dmitri Alperovitch, chairman of the Silverado Policy
Accelerator and co-founder of CrowdStrike, said^[7]
“while it started out as targeted espionage campaign, they engaged
in reckless and dangerous behavior by scanning/compromising
Exchange servers across the entire IPv4 address space with
webshells that can now be used by other actors, including
ransomware crews.”