Microsoft investigates the link between attacks on “Exchange Server” and code leaks

Microsoft is investigating that a potential code breach by a partner could have exacerbated a series of attacks on Microsoft Exchange Server. The company is investigating the possibility that the “confidential information” required for this attack was obtained through “private information disclosure with some security partner companies.” The Wall Street Journal (WSJ) reported on March 12, US time. On the 2nd, Microsoft delivered an emergency patch to address four widely exploited zero-day vulnerabilities found on Exchange Server. These vulnerabilities were released privately in January, and the number of cases of exploitation has increased since then. Researchers estimate that there are tens of thousands of affected companies around the world. Initially, it was alleged that the Chinese hacking group Hafnium, suspected of being involved in the state, was exploiting these zero-day vulnerabilities. However, with the release of proof-of-concept (PoC) code that exploits this vulnerability, more APT (highly targeted attack) groups are trying to exploit this situation. Ransomware has also been deployed in some attacks. According to the WSJ, Microsoft is also investigating this PoC code. The company is investigating the possibility that a PoC code sent privately to a partner company of the Microsoft Active Protections Program (MAPP) was leaked intentionally or accidentally. The PoC code was sent on February 23, before the patch was released, for the purpose of proactively providing information to antivirus and cybersecurity companies. However, according to the WSJ, some of the tools used in the attacks that began a week later have “similarities” to private PoCs. About 80 organizations participate in MAPP. In a blog post dated March 12, the company currently has a “very important” challenge to protect vulnerable Exchange Servers, which is why it also distributed patches to unsupported versions of Exchange Servers. It is said that. However, patching alone cannot solve the problem of infected servers. Therefore, the company recommends investigating for signs of server compromise. Microsoft is working with RiskIQ to track the number of vulnerable servers that are online without patches. As of March 12, it seems that about 82,000 servers haven’t been updated yet. The US administration of Joe Biden warned that the time it takes for an organization to patch a system is “hours, not days.” He also called on private companies to join a task force to investigate this situation. A Microsoft spokeswoman told ZDNet: “We are investigating the cause of the surge in malicious attacks and have not yet reached a conclusion. No evidence has been found that the leak from Microsoft was related to this attack.”