Was there a leak at Microsoft in the Exchange mass hack?

[German]The first wave of mass hacking of vulnerable Exchange servers before the release of patches raises questions. Especially since the exploit code used was very similar to a PoC that Microsoft had distributed to partners a week earlier. Microsoft is now investigating whether some leak could be responsible.


Timing raises questions

When Microsoft distributed its unscheduled updates to close four 0-day vulnerabilities on March 2-3, 2021 (see Exchange server 0-day exploits are actively exploited), mass scans of the Internet for vulnerable Exchange servers has already occurred for a week. I wrote down the timeline, within my German blog post Anatomie des ProxyLogon Hafinum-Exchange Server Hacks.

  • January 5, 2021: DEVCORE security researchers report a proof of concept (PoC) to Microsoft
  • Jan. 6, 2021: Volexity security researchers observe attacks on Exchange Server via a then-unknown vulnerability
  • February 26/27, 2021: First mass scans with attacks on Exchange Server
  • March 2/3, 2021: Microsoft releases unscheduled update for Exchange Server to close four 0-day vulnerabilities

Hours later, mass scans start, infecting hundreds of thousands of Exchange Servers worldwide with a webshell backdoor. That raises questions, one of my editors suspected that  military probably flexes its muscles in terms of cyber deterrence and demonstrates its capabilities. This is not out of the question, especially since the SolarWinds hack reveals something similar and the U.S. is probably planning something like counterattacks. But why is there this temporal proximity to certain events.

Is there a leak at Microsoft?

The Wall Street Journal (WSJ) now came up with a report, that on the one hand could explain a lot, but on the other hand was to be expected. Microsoft is investigating whether there was a leak that played a role in the suspected Chinese hack of the Hafnium group. The investigators are trying to find out how the mass attack can be classified one week before the software fix. 

Microsoft Active Protections Program (Mapp)

There has been the Microsoft Active Protections Program (Mapp) from Microsoft since 2008 for the exchange of information between different security companies. The aim is to give security companies a head start in detecting new threats. Mapp includes about 80 security companies worldwide, of which about 10 are based in China. 

Proof of concept from Microsoft on February 23, 2021.

Sources familiar with the Mapp program now appear to have tipped off the Wall Street Journal that some of the Mapp partners received Microsoft's notification of the vulnerabilities in Exchange on February 23. Included was proof-of-concept (PoC) code. When the first mass scans started on February 26/27, 2021, almost the same code was used for the exploit on the Exchange vulnerabilities. The WSJ comments:


Some of the tools used in the second wave of the attack, which is believed to have begun Feb. 28, bear similarities to "proof-of-concept" attack code that Microsoft distributed to antivirus companies and other security partners Feb. 23, investigators at security companies say. Microsoft had planned to release its security fixes two weeks later, on March 9, but after the second wave began it pushed out the patches a week early, on March 2, according to researchers.

It does mention February 28, 2021 (I had listed February 26/27). But the fact is that these mass scans caused the release of the security updates to be brought forward from March 9 to March 2, 2021. And the similarity of the code used raises the question of whether the attackers simply had their eyes and ears in a participant of the Mapp program. Microsoft refuses to comment – specifically, whether Chinese partners in the program are suspected. What is known is that Microsoft has found no evidence of an internal leak.

Gizmodo writes here, that Microsoft kicked Hangzhou DPTech Technologies, a China-based security software vendor, out of the MAPP program in 2012. At the time, the company leaked proof-of-concept code that could be used for a potential cyberattack, violating the non-disclosure agreement.

It will be patched, but it is too late

Currently, the consequences cannot be foreseen at all. I reported that currently 282,900 Exchange servers are accessible via the Internet. However, many of these instances are listed by spyse.com as being secured (but without an account I can see little detail). There is good good news from Palo Alto Networks – in a briefing Friday afternoon, it says that the patch situation for Exchange instances is improving. 

The number of vulnerable servers running old versions of Exchange, to which recently released security patches cannot be applied directly, has dropped by more than 30% from an estimated 125,000 to 80,000, according to Expanse Internet scans from March 8-11.

Palo Alto Networks used its Networks Expanse data collection platform to identify Internet-exposed servers running old versions of Exchange that cannot directly apply the recently released security patch for the zero-day vulnerabilities. Matt Kraning, chief technology officer of Cortex at Palo Alto Networks comments:

I've never seen security patch rates this high for a system, let alone one as widely deployed as Microsoft Exchange. We urge organizations running all versions of Exchange to assume they were compromised before patching their systems, as we know attackers exploited these zero-day vulnerabilities in the wild for at least two months before Microsoft released the patches on March 2.

I've compared the number of vulnerable Exchange servers in the following table, according to Palo Alto.

8.3.2021 11.3.2021 (Source: Palo Alto Mail)
  • USA: 33.000
  • Germany: 21.000
  • Great Britain: 7.900
  • France: 5.100
  • Italy: 4.600
  • USA – 20,000
  • Germany – 11,000
  • Great Britain – 4,900
  • France – 4,000
  • Italy – 3,700
  • Russia – 2,900
  • Canada – 2,700
  • Switzerland – 2,500
  • Australia – 2,200
  • China – 2,100
  • Austria – 1,700
  • Netherlands – 1,600

Palo Alto also looked at the timelines (which I documented here on the blog), and writes that both the vulnerabilities themselves and the access that can be achieved by exploiting them are significant. It is not surprising, therefore, that several attackers attempted and continue to attempt to compromise vulnerable systems before they are patched by network administrators. These attacks happened on an unprecedented scale, as we now know.

Based on the reconstructed timeline – its analysis is available here – it is now clear that there were at least 58 days between the first known exploit of this vulnerability on January 3 (this date is new to me) and Microsoft's release of the patch on March 2. Applying the patch is a necessary first step, but not sufficient given the length of time the vulnerability has been exploited in the wild. Applying the patch does not eliminate access that attackers may have already gained to vulnerable systems. Organizations can refer to Palo Alto Unit 42's remediation guide for the steps they need to take to ensure they have properly secured their Exchange servers.

In the second week since the vulnerabilities became public, early estimates are that the number of affected companies is in the tens of thousands. This dwarfs the impact of the recent SolarStorm supply chain attack in terms of the number of victims and the estimated cost to remediate the vulnerabilities worldwide.

Ongoing research shows that these vulnerabilities are being exploited by multiple threat groups. Bleeping Computer has here a story about ransomware attacks.  It is not new to see highly skilled attackers exploiting new vulnerabilities in various product ecosystems. However, the way these attacks are carried out to bypass authentication to gain unauthorized access to email and enable remote code execution (RCE) is particularly perfidious, Palo Alto says.

Unit 42 anticipates that attacks exploiting these vulnerabilities will not only continue, but grow in scope. This will also likely translate into more diverse attacks with different motives, such as the infection and/or distribution of ransomware. Due to the fact that active attacks from various threat groups exploiting these vulnerabilities are ongoing, it is imperative to not only patch the affected systems, but also follow the guidance here. I think the topic remains exciting. 

Similar articles
Exchange server 0-day exploits are actively exploited
Important notes from Microsoft regarding the Exchange server security update (March 2021)
Exchange isues with ECP/OWA search after installing security update (March 2021)
Exchange Hack News – Test tools from Microsoft and others
Microsoft MSERT helps to scan Exchange Servers
Cyber attack on Exchange server of the European Banking Authority
Exchange hack: new patches and new findings
Exchange Server: Remote Code Execution Vulnerability CVE-2020-16875
Exchange hack: new victims, new patches, new attacks
Update on ProxyLogon hafnium exchange issue (March 12, 2021)

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *