UK Electoral Commission Breach Tied to Unpatched Exchange Server Vulnerabilities

July 30, 2024

The Information Commissioner's Office (ICO) in the United Kingdom has disclosed that the breach of the Electoral Commission in August 2021 was due to the Commission's failure to mitigate ProxyShell vulnerabilities in its on-premise Microsoft Exchange Server. These vulnerabilities are tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.

The threat actors exploited these security flaws to break into the Commission's Exchange Server 2016. They deployed web shells and backdoors, which provided them with persistent access even after the initial breach. Microsoft had issued patches for these vulnerabilities in May 2021, but the Commission did not apply these updates in a timely manner, leaving their systems open to attacks.

The breach was discovered on October 28, 2021, when an employee noticed that the Commission's Exchange server was being used to distribute spam emails. The attackers had gained access to the personal data of approximately 40 million individuals, including names, home addresses, email addresses, and phone numbers. The Commission attempted to minimize the severity of the breach, stating that much of the accessed data is publicly available. However, only voters' names and addresses are publicly accessible in the U.K.'s open register.

The ICO's investigation concluded that the Electoral Commission did not have sufficient security measures in place to protect the personal data it held. The Commission also lacked adequate password policies, with many accounts using the same or similar passwords as those initially provided by the service desk. The ICO criticized the Electoral Commission for its failure to secure its systems and protect the personal data of millions of voters.

ICO Deputy Commissioner Stephen Bonner stated that the breach could have been prevented if the Commission had implemented basic security measures such as timely patching and effective password management. Despite the breach, Bonner confirmed that there is no evidence to suggest that the accessed personal data has been misused or that it has directly affected the impacted voters.

In August 2021, Shodan reported that it was monitoring thousands of Exchange servers that were vulnerable to ProxyShell attacks. This breach occurred after the UK, the US, and their allies accused China's Ministry of State Security (MSS) of launching extensive attacks on numerous organizations globally in March 2021. The MSS is associated with state-sponsored hacking groups known as APT40 and APT31.

Related News

• Microsoft Exchange Server Vulnerabilities Leveraged in Keylogger Attacks
• CISA Issues Cybersecurity Guidelines for Healthcare and Public Health Entities
• Iran's Charming Kitten Strikes Israeli Exchange Servers
• ProxyShellMiner Exploits Microsoft Exchange Vulnerabilities

Latest News

• CISA Includes Microsoft COM for Windows Vulnerability in Known Exploited Vulnerabilities Catalog
• Critical Security Flaw in Rockwell Automation's ControlLogix 1756 PLCs Threatens Industrial Manufacturing
• Google Patches Kernel Zero-Day Vulnerability in Android, Amidst Targeted Exploits
• Critical Security Bypass Vulnerability Found in Rockwell Automation ControlLogix 1756 Devices
• StormBamboo APT Group Breaches ISP to Deliver Malware