The European Banking Authority (EBA) has confirmed it has fallen victim to the ongoing Microsoft Exchange attacks.
With a total of four highly valuable zero-day exploits, previously unreported vulnerabilities that give cybercriminals a head start in any attack campaign, the attacks against on-premises Microsoft Exchange servers were always going to be a big deal. Those initial attacks, which prompted Microsoft to publish an emergency out-of-band security update, were attributed to a nation state-sponsored group identified as HAFNIUM. The nation in question is China. However, Microsoft has now confirmed that it “continues to see increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond HAFNIUM.”
As I reported on March 6, credible sources were suggesting that the attacks against vulnerable Microsoft Exchange servers were thought to have compromised ‘hundreds of thousands’ of servers, more than 30,000 in the U.S. alone.
One of those attacked outside of the U.S. was the European Union’s banking regulator, the European Banking Authority. On March 7, the EBA issued a statement confirming that it had “been the subject of a cyber-attack against its Microsoft Exchange Servers.”
While stating that a full investigation was underway, the EBA went on to add: “As the vulnerability is related to the EBA’s email servers, access to personal data through emails held on that servers may have been obtained by the attacker. The EBA is working to identify what, if any, data was accessed. Where appropriate, the EBA will provide information on measures that data subjects might take to mitigate possible adverse effects. As a precautionary measure, the EBA has decided to take its email systems offline. Further information will be made available in due course.”
Further information was, indeed, made available by way of an update on March 8. “The EBA investigation is still ongoing and we are deploying additional security measures and close monitoring in view of restoring the full functionality of the email servers,” it read. “At this stage, the EBA email infrastructure has been secured and our analyses suggest that no data extraction has been performed and we have no indication to think that the breach has gone beyond our email servers.”
“The exploitation of the 0days in question required some specific conditions and thus raises questions what exactly happened at the EBA,” Ilia Kolochenko, chief architect at ImmuniWeb, said. “Another key question is when exactly the EBA was compromised?” Kolochenko points out that if the intrusion happened after the disclosure but prior to the emergency patch, the vulnerable systems should have been immediately disconnected to prevent exploitation in the wild. “The EBA is likely not the last victim of this hacking campaign,” he warns, “and more public authorities may disclosure incidents stemming from exploitation of the same vulnerabilities.”
I have approached the EBA for further comment.
Meanwhile, Mark Bower, a senior vice-president at comforte AG, said that “the capacity for attackers to extract sensitive data from emails, spreadsheets in mailboxes, insecure credentials in messages, as well as attached servers presents an advanced and persistent threat with multiple dimensions.”
Although it should be reiterated that, at this point in the investigation, the EBA is saying that “no data extraction has been performed and we have no indication to think that the breach has gone beyond our email servers.” Bower, like Kolochenko, warns that more incidents will be reported. “Affected entities and their supply chain partners will see a persistent secondary impact as a result over a long period of time,” he said.
I’ll leave the final word to John Hultquist, vice-president of analysis with Mandiant Threat Intelligence. “Though broad exploitation of the Microsoft Exchange vulnerabilities has already begun, many targeted organizations may have more to lose as this capability spreads to the hands of criminal actors who are willing to extort organizations and disrupt systems.
The cyber espionage operators who have had access to this exploit for some time, aren’t likely to be interested in the vast majority of the small and medium organizations. Though they appear to be exploiting organizations in masses, this effort could allow them to select targets of the greatest intelligence value.”
Update March 9
The EBA has now published a third update, which I reprint here in full:
“The European Banking Authority (EBA) has established that the scope of the event caused by the recently widely notified vulnerabilities was limited and that the confidentiality of the EBA systems and data has not been compromised.
Thanks to the precautionary measures taken, the EBA has managed to remove the existing threat and its email communication services have, therefore, been restored.
Since it became aware of the vulnerabilities, the EBA has taken a proactive approach and carried out a thorough assessment to appropriately and effectively detect any network intrusion that could compromise the confidentiality, integrity and availability of its systems and data.
The analysis was carried out by the EBA in close collaboration with the Computer Emergency Response Team (CERT-EU) for the EU institutions, agencies and bodies, the EBA’s ICT providers, a team of forensic experts and other relevant entities.”
I’m a three-decade veteran technology journalist and have been a contributing editor at PC Pro magazine since the first issue in 1994. A three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) I was also fortunate enough to be named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro called ‘Threats to the Internet.’ In 2011 I was honored with the Enigma Award for a lifetime contribution to IT security journalism. Contact me in confidence at firstname.lastname@example.org if you have a story to reveal or research to share.