European Banking Authority (EBA) has disclosed that it is one of the victims of the recently revealed Microsoft Exchange Server Hack blamed on Chinese State-backed hackers.
Last week Hackread.com reported that Microsoft Exchange Servers were hit by a large-scale cyberattack after Chinese hackers exploited several critical vulnerabilities. Now, it has been revealed that the attack was on a global level and more than 30,000 organizations were targeted.
One among the victims is the European Banking Authority (EBA) which is an independent EU Authority that works to ensure an effective and consistent level of regulation and supervision across the European banking sector.
EBA maintains the overall financial stability and sure integrity, efficiency, and orderly functioning of the banking sector. However, EBA has now revealed the cyberattack took down all of its email systems.
“As the vulnerability is related to the EBA’s email servers, access to personal data through emails held on that server may have been obtained by the attacker,” EBA revealed in a statement.
The organization initially released a statement on Sunday where it explored the possibility that the attackers may have gained access to personal information stored on the email servers.
The report also included their guarantee of the fact that they will identify what data was accessed and what measures should be taken by the data subjects to mitigate the possible adverse effects. As a precautionary measure, they also decided to take their email systems offline.
Today EBA issued another update in which the forensic experts confirmed that they found no signs of data exfiltration.
“At this stage, the EBA email infrastructure has been secured and our analyses suggest that no data extraction has been performed and we have no indication to think that the breach has gone beyond our email servers,” said the EBA.
“The EBA has taken all precautionary measures to protect personal and other data and will take additional steps and provide further updates as necessary.”
Regarding the widespread attacks targeting organizations worldwide, Microsoft fixed various vulnerabilities that were previously affecting and exploiting Microsoft Exchange Server.
Initially, the tech giant was only able to link the attacks to a China state-sponsored hacking group known as “Hafnium” but in an updated blog post, the company stated that several other threat actors have exploited the recently patched Exchange Server flaws using similar schemes.
This is the real deal. If your organization runs an OWA server exposed to the internet, assume compromise between 02/26-03/03. Check for 8 character aspx files in C:inetpubwwwrootaspnet_clientsystem_web. If you get a hit on that search, you’re now in incident response mode. https://t.co/865Q8cc1Rm
— Chris Krebs (@C_C_Krebs) March 5, 2021
Even though their targets have not been identified as of yet, Microsoft has shared a list of previously targeted industry sectors.
According to Microsoft, the attackers use web shells that allow them to gain remote access to a compromised server as well as the internal network even after the servers have been patched.
The vulnerabilities were found in MS Exchange Server 2013, 2016, and 2019 and include the following:
1. CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability that attackers can exploit to send arbitrary HTTP requests.
2. CVE-2021-26857– It is an insecure deserialization vulnerability in which a program could deserialize untrusted user-controllable data. Attackers can exploit it to run code as SYSTEM on the Exchange server after acquiring administrator permission.
3. CVE-2021-26858– This post-authentication arbitrary file writes vulnerability could allow an attacker to write a file to any path on the server if authenticated with the Exchange server.
4. CVE-2021-27065– It is another post-authentication arbitrary file write vulnerability that Hafnium could authenticate with the Exchange server by either compromising legit admin credentials or exploiting the CVE-2021-26855 SSRF vulnerability and write a file to any path on the server.