Govt’s cyber threat report asks organizations to check vulnerability and take measures
A hacker group called ‘Hafnium’ has launched attacks on more than 200 ogranizations in Bangladesh, including Bangladesh Telecommunication Regulatory Commission (BTRC), Bangladesh Bank, commercial banks, and internet service providers.
BGD e-GOV CIRT, the e-Government Computer Incident Response Team, and Bangladesh Computer Council (BCC) informed about the attacks through a cyber threat report on Thursday night.
The report said the hacker group made the attacks last month.
“We were just trying to see global attacks but then through research we found that it has also attacked us. Later, we uploaded the recovery system on our website,” Tarique M Barkatullah, director, BCC and project director, BGD e-Gov CIRT, told Dhaka Tribune.
He said: “A malware is inserted through Microsoft Exchange Server. Although, no money has been stolen yet but information has been leaked which creates a fear of huge financial loss or stealing of money in future.”
However, companies can recover themselves from this attack by using the Hafnium exploit file, he added.
According to the Bangladesh Computer Council (BCC), the threat actor behind the malware is known as “Hafnium”. It is also observed that, there are activities of several hacker groups that exploit vulnerabilities in Microsoft Exchange Server.
Hafnium, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.
However, an alert on this attack has also been given on the Microsoft website on Friday.
The alert said Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks.
In the attacks observed, the threat actor used these vulnerabilities to access on-premises exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.
Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to Hafnium.
Also read - Hackers have eye on 6 Bangladeshi organisations
The BGD e-GOV CIRT has asked a number of state-owned and private organizations to carry out scans of their mail servers to see if any malware had been injected into their system and to believe that they have been compromised if such malware was found.
Hafnium has carried out such attacks around 100,000 companies across the globe.
Hafnium primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.
This group has overlaps in tactics and technique with other Chinese hacker groups. If we establish an exact match with another known group, we will supplement it with this profile, said BCC.
It also attacked Germany, Canada, France, Belgium, Italy, Hong Kong, South Korea, Turkey, United Arab Emirates and Israel etc.
Their targeted industries or sectors are banking and finance, government-local healthcare, law and law enforcement agencies, defense, heavy industries and engineering, aerospace, science-and-education: universities and colleges, energy & power and non-profit.
On March 15, Chile's bank regulator was compromised through ProxyLogon vulnerabilities in Microsoft Exchange Server, according to Comisión para el Mercado Financiero (CMF).
Measures to protect
Some Bangladeshi organizations running Microsoft Exchange Server have also been compromised by the cyber attacks, said BGD e-GOV CIRT in an advisory.
BGD e-GOV CIRT said all the organizations are requested to take action measures such as run newly developed tools —Microsoft’s “Test-ProxyLogon.ps1 script” and Safety Scanner “MSERT”—to investigate whether their Microsoft Exchange Servers have been compromised.
Maintain up-to-date antivirus signatures and engines, keep operating system patches up-to-date, disable file and printer sharing services.
“If these services are required, use strong passwords or active directory authentication. Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required. Enforce a strong password policy and implement regular password changes,” said the advisory.
“Exercise caution when opening email attachments even if the attachment is expected and the sender appears to be known. Report or inform BGD e-GOV CIRT regarding any incident or issues to work in collaborated fashion through https://www.cirt.gov.bd/incident-reporting/, “ it added.