The European Banking Authority, a critical EU financial service regulator, has been hacked after a successful attack on its Microsoft Exchange Servers. The incident comes after Microsoft pushed out emergency patches for four previously undisclosed vulnerabilities that can be exploited by a remote, unauthenticated attacker. A group that the company dubbed “HAFNIUM” has been widely abusing the critical vulnerabilities since at least January.
(Security experts say that any organisation running on-premises Microsoft Exchange should assume they have been breached amid a global campaign by what are believed to be Chinese nation state-backed actors. The attackers appear to have automated the attacks, using the chain of Microsoft vulnerabilities for initial access, then dropping in backdoor web shells and creating Exchange accounts. Users will need to review all accounts. Security company Blue Hexagon has a useful and indepth post with IoCs here.)
“As the vulnerability is related to the EBA’s email servers, access to personal data through emails held on that servers may have been obtained by the attacker. The EBA is working to identify what, if any, data was accessed. Where appropriate, the EBA will provide information on measures that data subjects might take to mitigate possible adverse effects,” the EBA said, March 7. It has taken email systems offline “as a precautionary measure”.
The EBA’s mandate includes maintainining financial stability in the EU and safeguarding “the integrity, efficiency and orderly functioning of the banking sector”. The EBA was among three EU organisations that recently wrote to the European Commission about the Digital Operational Resilience Act (DORA), which sets out key rules governing ICT risk management, incident reporting, testing and oversight, saying the pending legislation should “enlarge the scope of action” by “directly assigning them the necessary legal mandate” to enforce new rules on digital resilience.
The EBA is one of a reported 60,000+ victims of hackers abusing the Exchange Server vulnerabilities. Microsoft pushed out patches on Monday March 1, 2021, but attacks appear to have been automated and stepped up since as cybercrime groups swoop on thousands of exposed targets.
The HAFNIUM group is considered highly-sophisticated. As Security firm SentinelOne notes, “their arsenal of tools includes 0-days along with customized malware, COTS/Open-source tools, and LOTL techniques. This includes heavy use of PowerShell and other common native OS features.”
The four bugs used for initial access are CVE-2021-26855: a server-side request forgery (SSRF) vulnerability in Exchange; CVE-2021-26857 , a vuln in the Unified Messaging service; exploitation by the threat group gives attackers the ability to run code as SYSTEM; CVE-2021-26858 and CVE-2021-27065, post-authentication arbitrary file write vulnerabilities.
(Sysadmins struggling with a post-compromise clean-up, this self-help thread may prove as useful as anything from a vendor themselves).
European Banking Authority hacked, thousands of others also breached in sweeping campaign.
Microsoft was alerted to critical previously undisclosed bugs in all of its latest versions of Exchange Server (used for on-premises email) by Virginia-based incident response specialist Volexity, which says it saw attacks abusing the zero days from January 6, 2021. They first spotted exploitation after seeing “a large amount of data being sent to IP addresses it believed were not tied to legitimate users” from two customers’ servers.
The incident response and digital forensics firm added: “The attacker was using the vulnerability to steal the full contents of several user mailboxes. This vulnerability is remotely exploitable and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment. The attacker only needs to know the server running Exchange and the account from which they want to extract e-mail.
With the attackers — the HAFNIUM group responsible for the original set of Exchange Server zero days has been described by Microsoft as being China-backed — having in many cases been in systems for some time, extensive post-incident review of all systems will be crucial, experts warned.
Investigation tips from FireEye
FireEye recommends checking the following for evidence of compromise:
- “Child processes of C:\Windows\System32\inetsrv\w3wp.exe on Exchange Servers, particularly cmd.exe.
- Files written to the system by w3wp.exe or UMWorkerProcess.exe.
- ASPX files owned by the SYSTEM user
- New, unexpected compiled ASPX files in the Temporary ASP.NET Files directory
- Reconnaissance, vulnerability-testing requests to the following resources from an external IP address:
- /rpc/ directory
- Non-existent resources
- With suspicious or spoofed HTTP User-Agents
- Unexpected or suspicious Exchange PowerShell SnapIn requests to export mailboxes.”
FireEye added in a March 4 blog that the web shells it has observed placed on Exchange Servers have been named differently in each intrusion, and as a result the file name alone is not a high-fidelity indicator of compromise.
“As system and web server logs may have time or size limits enforced, we recommend preserving the following artifacts for forensic analysis:
- At least 14 days of HTTP web logs from the inetpub\Logs\LogFiles directories (include logs from all subdirectories)
- The contents of the Exchange Web Server (also found within the inetpub folder)
- At least 14 days of Exchange Control Panel (ECP) logs, located in Program Files\Microsoft\Exchange Server\v15\Logging\ECP\Server
- Microsoft Windows event logs.”
Details from Volexity on the TTPs of the attackers are here.
Details from Microsoft including on remediation are here.
Further details from FireEye on the HAFNIUM campaign here.