Stephen Finn -

EBA restores services after Microsoft Exchange attack

European Banking Authority was breached through vulnerabilities in Microsoft Exchange Server, but is now back online

The European Banking Authority (EBA) says it has fully restored its services following a cyber attack on its Microsoft Exchange servers, exploiting vulnerabilities disclosed by Microsoft last week, which are now thought to have impacted more than 100,000 organisations globally.

The EBA revealed on Sunday 7 March that it had fallen victim to an attack on its Exchange servers – becoming one of the first high-profile victims of the wave of cyber attacks to step forward since last week’s sudden disclosures.

After the incident, the organisation took its email services offline while investigations took place, and deployed additional security measures and monitoring with the help of its IT providers, cyber forensics experts, and the European Union’s Computer Emergency Response Team (CERT-EU).

“The EBA has established that the scope of the event caused by the recently widely notified vulnerabilities was limited and that the confidentiality of the EBA systems and data has not been compromised,” said a spokesperson today.

“Thanks to the precautionary measures taken, the EBA has managed to remove the existing threat and its email communication services have, therefore, been restored.

“Since it became aware of the vulnerabilities, the EBA has taken a proactive approach and carried out a thorough assessment to appropriately and effectively detect any network intrusion that could compromise the confidentiality, integrity and availability of its systems and data.

“Besides re-securing its email system, the EBA remains in heightened security alert and will continue monitoring the situation.”

Exploitation of the four vulnerabilities in question – which affect only on-premise versions of Microsoft Exchange – was initially attributed to a Chinese advanced persistent threat (APT) group known as Hafnium, but they quickly attracted attention from other malicious actors, with multiple other threat research teams monitoring widespread exploitation early on. In the light of this, it is impossible to say whether the EBA was targeted by Hafnium or another group.

However, what is now becoming clear after a week is that the scale of the resulting cyber attacks is extremely significant, with scans showing the backdoor web shell deployed onto vulnerable servers present on thousands of networks, according to KrebsOnSecurity, which also reported that most of the organisations hit so far were running internet-facing Microsoft Outlook Web Access (OWA) email alongside internal Exchange servers.

Mark Bower, SVP at Comforte AG, said it was now becoming clear the threat had the potential to go well beyond just email. “CISA’s recent guidance indicates the potential for server and downstream system compromise, which is extremely concerning for leaders of affected organisations,” he said.

“The capacity for attackers to extract sensitive data from emails, spreadsheets in mailboxes, insecure credentials in messages, as well as attached servers, presents an advanced and persistent threat with multiple dimensions.

“I predict affected entities and their supply chain partners will see persistent secondary impact as a result over a long period of time.”

Microsoft Exchange Server cyber attack timeline

3 March: Microsoft releases an emergency patch to address multiple zero-day exploits directed at on-premise installations of Exchange Server.

4 March: US CISA issues emergency guidance as impact of four newly disclosed Microsoft Exchange vulnerabilities becomes clearer.

5 March: Analysis from technical teams at FireEye’s Mandiant tracked activity exploiting newly disclosed vulnerabilities in Microsoft Exchange Server more than a month ago.

8 March: Microsoft said its seen increased Exchange Server attacks, as well as more threat actors beyond the Chinese state-sponsored Hafnium group conducting attacks.

Next Steps

Microsoft Exchange Server attack: What we know so far

Timeline of Microsoft Exchange Server attacks raises questions

Nearly 100,000 web shells detected on Exchange servers

Kaspersky tracks Windows zero days to 'Moses' exploit author

Read more on Data breach incident management and recovery

Data Center
Data Management