The European Banking Authority was among thousands of organizations whose Exchange email servers were infiltrated by China-based malicious actors. According to Microsoft, the hackers exploited previously-unknown vulnerabilities in Microsoft Exchange to target organizations worldwide.
The European Banking Authority (EBA), a regulatory agency of the European Union, was forced to take its email servers offline this week after they were infiltrated by Hafnium, a group of state-sponsored Chinese hackers. The group recently exploited previously-unknown vulnerabilities in Microsoft Exchange and used stolen credentials to infiltrate Exchange servers owned by nearly 60,000 organizations.
The Paris-based banking regulator initially said that the hackers gained access to personal data through emails held on the targeted servers. However, EBA clarified on Monday that “the scope of the event caused by the recently widely notified vulnerabilities was limited and that the confidentiality of the EBA systems and data has not been compromised.â€
According to Microsoft, Hafnium discovered and began exploiting four critical vulnerabilities in Microsoft Exchange Server 2013, 2016, and 2019 in January. Following the discovery of the attacks, Microsoft issued emergency patches for the four flaws, CVE-2021-26855Opens a new window , CVE-2021-26857Opens a new window , CVE-2021-26858Opens a new window , and CVE-2021-27065Opens a new window . However, according to the White House National Security Council, simply patching these vulnerabilities may not be enough to mitigate the breach.
Patching and mitigation is not remediation if the servers have already been compromised. It is essential that any organization with a vulnerable server take immediate measures to determine if they were already targeted.
— National Security Council (@WHNSC) March 6, 2021Opens a new window
Jake SullivanOpens a new window , the U.S. National Security Advisor, took to Twitter to warn against the attack’s potential impact and advised users to follow mitigation steps laid out by CISA. Earlier this month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) also issued an Emergency DirectiveOpens a new window , urging federal agencies to update their Exchange servers with Microsoft’s patches immediately. CISA also advised federal agencies to look for indicators of compromise and contact it if indicators are found.
And, this article offers specific measures beyond just patching to determine if your systems are already compromised:
— Jake Sullivan (@JakeSullivan46) March 5, 2021Opens a new window
Besides the European Banking Authority, up to 60,000 organizations – of which 30,000 are based in the United States aloneOpens a new window – were reportedly targeted by the hackers. A lot of these include small businesses, cities & towns, and local governments. In contrast, last year’s SolarWinds hack impacted 18,000 organizations worldwide, but the attackers cherry-picked around ten government agencies and nearly 100 large companies.Â
See Also: Microsoft Fixes Four Zero-Day Bugs in Exchange Servers Exploited by Chinese State-Sponsored Hackers
According to cybersecurity researcher Brian KrebsOpens a new window , Hafnium “seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.†He added that Hafnium previously targeted “email systems used by a range of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.â€
John HultquistOpens a new window , Vice-President of Analysis at FireEye-owned Mandiant Threat Intelligence, told Forbes, “Though broad exploitation of the Microsoft Exchange vulnerabilities has already begun, many targeted organizations may have more to lose as this capability spreads to the hands of criminal actors who are willing to extort organizations and disrupt systems.â€
“The cyber espionage operators who have had access to this exploit for some time, aren’t likely to be interested in the vast majority of the small and medium organizations. Though they appear to be exploiting organizations in masses, this effort could allow them to select targets of the greatest intelligence value,†he added.
Microsoft said that Hafnium’s primary targets include U.S. organizations from sectors such as infectious disease research, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs, mainly to exfiltrate information.
While the hackers’ primary motive is yet to be ascertained, the latest attack campaign may be a multi-pronged attack to gain access to intellectual property data and scientific (and otherwise) research.
However, what’s astonishing is the speed at which the Chinese nation-state group was able to gain a foothold into the Exchange servers of so many organizations worldwide. This, along with the SolarWinds attack, illustrates how far behind the white hat community is compared to the sophistication of state-sponsored malicious actors.
President Biden’s administration has so far refrained from commenting on the attack’s scope, evoking a reasonable question from former CISA Director Chris KrebsOpens a new window . “This is a crazy huge hack. The numbers I’ve heard dwarf what’s reported here & by my brother from another mother (@briankrebsOpens a new window ). Why, though? Is this a flex in the early days of the Biden admin to test their resolve? Is it an out of control cybercrime gang? Contractors gone wild?†He asked.
The White House has, however, announced the formation of a Unified Coordination Group (UCG) task force through the National Security Council. Consisting of the FBI, the CISA, and the Department of Homeland Security, the UCG’s prime objective is to clean up the mess created by this far-reaching attack originating from China, the chief economic and technological rival of the United States.
Terming the spate of attacks as an “active threat,†an official from the White House told CNNOpens a new window , “We are undertaking a whole of government response to assess and address the impact. The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to agencies and we’re now working with our partners and looking closely at the next steps we need to take. This is an active threat still developing and we urge network operators to take it very seriously.â€
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!