[German]The European Banking Authority has fallen victim to a cyber attack. Their Exchange servers were compromised via vulnerabilities patched in early March 2021. Here is some information on what I know so far.
Got your Exchange server hacked by the Hafnium group via the 0-day exploits closed on March 2, 2021? Take comfort, this is happening to more illustrious users of the ubiquitous Microsoft software. I have just received information that the European Banking Authority is among the victims.
I monitor Bank Security's Twitter account and check it whenever I want to get creeped out. It's something like "which bank's network RDP credentials are being offered by hackers right now". There's something in there every day, even if I don't bring it up in the blog. Today, however, I noticed the above tweet, which is still very fresh and bleeding at both ends. Because the information fits into the current prey scheme as a blogger, come after all bank and exchange hack in it. On this website, the EBA (European Banking Authority) has announced the hack on March 7, 2021.
Cyber-attack on the European Banking Authority
The European Banking Authority (EBA) has been the subject of a cyber-attack against its Microsoft Exchange Servers, which is affecting many organisations worldwide. The Agency has swiftly launched a full investigation, in close cooperation with its ICT provider, a team of forensic experts and other relevant entities.
As the vulnerability is related to the EBA's email servers, access to personal data through emails held on that servers may have been obtained by the attacker. The EBA is working to identify what, if any, data was accessed. Where appropriate, the EBA will provide information on measures that data subjects might take to mitigate possible adverse effects.
As a precautionary measure, the EBA has decided to take its email systems offline. Further information will be made available in due course.
The statement is a bit thin on facts, but the relevant details are there. Microsoft Exchange servers have been hacked (this is happening to many operators worldwide). It has hit the email servers that are handled through Exchange – it is believed that the attackers (suspected state-affiliated Chinese hackers from the Hafnium group) had access to the emails. An investigation has been launched to find out how long this hack has been going on. As a precautionary measure, the EBA's email system has been shut down.
On the background of the EBA
The European Banking Authority (EBA) is an other European Union body based in Paris, established on the basis of Regulation (EU) No. 1093/2010 of November 24, 2010, whose task is financial market supervision and which emerged from the Committee of European Banking Supervisors (CEBS) on January 1, 2011. It is part of the European System of Financial Supervision (ESFS).
The attack on Exchange ServerDer Angriff auf Exchange Server
I had mentioned it in the blog post Exchange Hack News – Test tools from Microsoft and others: the allegedly state-affiliated Chinese hacker group Hafnium have been using various vulnerabilities (see Exchange server 0-day exploits are actively exploited) in on-premise Exchange servers to penetrate for months.
To close the vulnerabilities, security updates have only been provided by Microsoft since March 2, 2021 (although the vulnerabilities were already reported to Microsoft on December 20, 2020). Since March 2, 2021, a huge attack campaign has been running worldwide, in which probably 170,000 Exchange servers (currently, March 12, we are at 300,000) that are accessible via the Internet have been compromised with a high probability. I had reported about it in various blog posts (see end of article). Will not remain the only prominent victim.
Exchange server 0-day exploits are actively exploited
Important notes from Microsoft regarding the Exchange server security update (March 2021)
Exchange isues with ECP/OWA search after installing security update (March 2021)
Exchange Hack News – Test tools from Microsoft and others
Microsoft MSERT helps to scan Exchange Servers
Cookies helps to fund this blog: Cookie settings