EBA victim of an attack targeting Microsoft Exchange vulnerabilities

The European Banking Authority (EBA) said on Monday that it had been the target of a cyber-attack that exploited flaws in Microsoft's email server software, while assuring that no data had been affected.

The regulator holds sensitive data on EU banks and their outstanding credit levels.

Following the attack, which affected a large number of other organisations around the world, the authority launched "a thorough investigation" and decided, as a precautionary measure, to disable its email system "as the vulnerability is related to the European Banking Authority's email servers."

No compromise to date

However, the authority confirmed on 9 March 2021 that the scope of the vulnerability was very limited and that EBA's systems and data had not been compromised. This analysis work was carried out with the help of CERT-EU, the EBA's IT suppliers and a team of forensic experts.

The EBA is one of several thousand organisations in Asia and Europe that have been the target of attacks and which, according to Microsoft, use vulnerabilities in various versions of its mail server software. Already in December 2020, part of the source code (Exchange and Azure) had been downloaded allowing hackers to search for new flaws, or even to create copies of these programs with backdoors.

More than 5000 Exchange servers already taken over

ESET Research has found that more than ten different cyber criminal groups are exploiting recent vulnerabilities in Microsoft Exchange: 5000 mail servers are reportedly affected by these malicious activities. In early March, Microsoft released patches for Exchange 2013, 2016 and 2019 servers that address a series of remote code execution (RCE) pre-authentication vulnerabilities.

These vulnerabilities allow an attacker to take over any accessible Exchange server without needing to know the credentials of a valid account, making Internet-connected Exchange servers particularly vulnerable.

ESET researchers have noticed that some hacker groups were exploiting the vulnerabilities even before the patches were released. This rules out the creation of vulnerabilities by reverse engineering from Microsoft updates.

Despite emergency patches provided by Microsoft, cyber attacks continue and the US group has indicated that it is working with government agencies and security companies to support its customers.

However, these incidents are a reminder that complex applications such as Microsoft Exchange or SharePoint should not be opened directly on the Internet.

About the EBA

The EBA's main task is to contribute, through the adoption of binding technical standards and guidelines, to the creation of a single regulatory book in the banking sector. The aim of this single regulatory compendium is to provide a single set of harmonised prudential rules for financial institutions across the EU, which will help to create a level playing field and offer a high level of protection to depositors, investors and consumers.

The Authority also plays an important role in promoting the convergence of supervisory practices to ensure a harmonised application of prudential rules. The EBA is also responsible for assessing risks and vulnerabilities in the European banking sector, including through regular risk assessment reports and pan-European stress tests.

Learn more about attacks on MS Exchange