Microsoft is reportedly looking into whether its security partners played a role in helping hackers carry out attacks exploiting the Exchange Server vulnerabilities, according to the Wall Street Journal.
In a March 12 article, the Journal reported that the IT behemoth is questioning how threat actors obtained sensitive information that allowed them to access the tools they needed to compromise victim networks.
According to the newspaper, the investigation is focused on whether a Microsoft partner with whom it shared information about the vulnerabilities exploited by Chinese hackers leaked that information to other groups, leading to a rise in exploit attempts in what the Journal calls the second wave of attacks beginning in late February.
Some of those tools used in those follow-up attacks are similar to the “proof of concept” attack code the company shared with antivirus companies and other cybersecurity companies on Feb. 23.
Playing a central role in this is the Microsoft Active Protections Program (Mapp), an information-sharing program created in 2008 to give the cybersecurity industry a head start in detecting cyber threats.
Here’s more from the Journal:
Microsoft and others have been reviewing an information-sharing program called the Microsoft Active Protections Program (Mapp), which was created in 2008 to give security companies a head start in detecting emerging threats. Mapp includes about 80 security companies world-wide, about 10 of which are based in China. A subset of the Mapp partners were sent the Feb. 23 Microsoft notification, which included the proof-of-concept code, according to sources familiar with the program. A Microsoft spokesman declined to say whether any Chinese companies were included in this release.
How the hackers obtained the tools is important to Microsoft and others scrambling to assess the damage of the historically large cyberattack, which has allowed other hacking groups to capitalize on the vulnerabilities for their own purposes. Microsoft said this week it had spotted ransomware, or malicious software that locks up its victims’ computers until they pay the hackers, being used to target networks that hadn’t yet been patched. Because many of the targeted organizations are small businesses, schools and local governments, security experts said they could be especially exposed to debilitating attacks.
According to the Journal, Microsoft notified its Mapp partners on Feb. 23 via an alert that contained technical details, including the proof of concept sample. The company told its partners then that it had planned to patch the vulnerabilities two weeks later, on March 9.
But just four days after that alert, China-linked hackers began scanning the internet for servers that contained the vulnerabilities. And one day after that, on Feb. 28, four separate hacking groups began their attacks, according to security company ESET.
A Microsoft spokesperson told the Journal that there are not currently any indications of a leak from inside the company, and the longtime partners in the program are large enough to test and detect vulnerabilities. However, there would be consequences if the partnership was abused, the spokesperson said.
According to a 2012 Microsoft security blog cited by the Journal, Microsoft banned Chinese company Hangzhou DPTech Technologies Co., LTD, from the program after that company allegedly leaked proof-of-concept code that could have been used in an attack. That code appeared on a Chinese website.