Microsoft investigates potential ties between partner security firm, Exchange Server attack code leak

Updated: Exploit tools used in widespread attacks reportedly are similar to PoC code privately distributed by Microsoft to vendors.
Written by Charlie Osborne, Contributing Writer

Microsoft is reportedly investigating a potential partner leak that could have exacerbated the current wave of attacks against Microsoft Exchange servers. 

The Redmond giant is examining whether potentially "sensitive information" required to conduct the attacks was obtained through "private disclosures it made with some of its security partners," according to the Wall Street Journal

On March 2, Microsoft issued emergency patches to tackle four zero-day vulnerabilities in Microsoft Exchange Server which were being actively exploited in the wild. 

The critical bugs were disclosed privately in January, and since then, exploit usage has gained traction to the point researchers estimate that tens of thousands of businesses worldwide have been impacted.

The suspected state-sponsored Chinese hacking group Hafnium was originally attributed to exploitation of the zero-days. Now, however, proof-of-concept (PoC) code has been released and more advanced persistent threat (APT) groups are attempting to capitalize on the situation. Ransomware, too, is now being deployed in some attacks. 

It is PoC code that is also reportedly the subject of Microsoft's latest investigation. Microsoft is examining whether concept attack code sent privately by the company to partners of the Microsoft Active Protections Program (Mapp) was leaked, whether deliberately or accidentally. 

PoC attack code was sent to antivirus and other cybersecurity firms on February 23, prior to patch release, to give partner companies information in advance. However, it appears that some of the tools used in connected attacks, starting a week later, have "similarities" to the private PoC, according to the publication. 

Approximately 80 organizations participate in the Mapp program. 

In a blog post dated March 12, Microsoft said that protecting vulnerable Exchange servers is now a "critical" issue and this is why the company recently released patches to also fix out-of-support versions of Exchange. 

However, applying patches isn't enough as it will not eradicate existing infections. As a result, Microsoft also recommends investigating for signs of compromise on Exchange servers.

Microsoft is now working with RiskIQ to track the number of servers that are online-facing, unpatched, and still vulnerable to attack. As of March 12, approximately 82,000 servers are still yet to be updated. 

"Microsoft is deeply committed to supporting our customers against these attacks, to innovating on our security approach, and to partnering closely with governments and the security industry to help keep our customers and communities secure," the company commented.

The Biden Administration has warned organizations that they have "hours, not days" to patch their systems. Private sector players have been invited to participate in a task force dedicated to investigating the situation. 

Update 12.32 pm GMT: A Microsoft spokesperson told ZDNet:

"We are looking at what might have caused the spike of malicious activity and have not yet drawn any conclusions. We have seen no indications of a leak from Microsoft related to this attack."

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards