ajwk - stock.adobe.com

Norwegian government falls victim to Microsoft attacks

Norway’s parliament, the Storting, suffers second major cyber incident in a year as threat groups capitalise on vulnerable Microsoft Exchange Servers

The national parliament of Norway, the Storting, has come forward as another victim of cyber attacks arising from a series of dangerous ProxyLogon vulnerabilities in Microsoft Exchange Server that affect more than 100,000 organisations worldwide and are being actively exploited by malicious actors.

In a statement, the Storting said it did not yet know the full extent of the attack, but had established that some data had been exfiltrated. It is currently working on additional security measures and has initiated a full investigation alongside law enforcement.

“We know that data has been extracted, but we do not have a full overview of the situation,” said Marianne Andreassen, secretary general of the Storting. “We have implemented a series of comprehensive measures and are not ruling out further action. We are working closely with the relevant security authorities. The situation is currently unresolved, and we do not yet know the full potential of the damage.”

Tone Wilhelmsen Trøen, president of the Storting, added: “The threat situation is changing rapidly and becoming increasingly complex. The attack on us shows that at worst, cyber attacks can have serious consequences for our democratic processes.”

The latest cyber attack on Norway’s government comes just seven months after a large-scale incident – probably a state-backed attack by Russia – which targeted the email accounts of MPs and other government officials. At the time of writing, there is not believed to be any connection between the two incidents.

Lotem Finkelstein, head of cyber intelligence at Check Point, commented:  “The fact that hackers were able to breach government systems shows just how far-reaching and serious these vulnerabilities are.

“Check Point’s recent 2020 security report showed that 83% out of all attack vectors were email-based, and 87% of organisations have experienced an attempt to exploit an existing vulnerability. The time-window between the discovery of a vulnerability and it being patched gives hackers the opportunity to launch these attacks. 

“To protect themselves, organisations using Microsoft Exchange should ensure they have applied the patches to their systems or use virtual patching technologies such as intrusion protection systems to minimise the risks of attack.”

Meanwhile, threat actors continue to pile in on what is becoming something of a feeding frenzy, with researchers Matthieu Faou, Mathieu Tartare and Thomas Depuy of ESET reporting yesterday that they had seen at least 10 known groups involving themselves, with activity ramping up since disclosure on 3 March.

All the groups observed by ESET’s team were linked to cyber espionage groups with state-linked interests, with one exception – DLTMiner, which specialises in cryptojacking.

These groups have now dropped webshells – the malicious scripts used by such actors to maintain persistence in their target networks – on more than 5,000 vulnerable servers in 115 countries, with Germany, the US and the UK most hit. Note that this statistic is taken from ESET telemetry alone, so the true number of victims will be higher.

“It is still unclear how the distribution of the exploit happened, but it is inevitable that more and more threat actors, including ransomware operators, will have access to it sooner or later,” said the team.

Microsoft Exchange Server cyber attack timeline

3 March: Microsoft releases an emergency patch to address multiple zero-day exploits directed at on-premise installations of Exchange Server.

4 March: US CISA issues emergency guidance as impact of four newly disclosed Microsoft Exchange vulnerabilities becomes clearer.

5 March: Analysis from technical teams at FireEye’s Mandiant tracked activity exploiting newly disclosed vulnerabilities in Microsoft Exchange Server more than a month ago.

8 March: Microsoft said its seen increased Exchange Server attacks, as well as more threat actors beyond the Chinese state-sponsored Hafnium group conducting attacks.

9 March: European Banking Authority was breached through vulnerabilities in Microsoft Exchange Server, but is now back online.

10 March: Microsoft’s March Patch Tuesday update drops amid ongoing fall-out from widespread Exchange attacks.

Read more on Data breach incident management and recovery