Hackers may have gotten their hands on inside intel that Microsoft shared with its security partners to exploit vulnerabilities in the company’s widely used email and calendaring software Exchange, according to a Friday Wall Street Journal report.
Several different hacker groups have descended on the Exchange in a series of branching cyber attacks that compromised at least 30,000 U.S. organizations. State-sponsored hackers from China reportedly exploited several zero-day vulnerabilities in Microsoft’s software, which other cyberattackers later took advantage of, to gain entry into Exchange servers and plant malicious code in order to steal large troves of email data from American businesses and local governments.
The first wave of attacks began in January and picked up steam in the week before Microsoft planned to roll out a software fix to customers, the Journal reports. Tools used in the second wave, which is believed to have begun on Feb. 28, bore several similarities to “proof of concept” attack code that Microsoft distributed to antivirus companies and other security partners just a few days earlier, people familiar with the investigation told the outlet. While Microsoft initially planned to push out a software fix on March 9, it ended up releasing the patch early, on March 2, in response to the second wave of attacks.
Microsoft uses an information-sharing network, Microsoft Active Protections Program or MAPP, to push out alerts about its product to its security partners so they can identify emerging threats. MAPP includes 80 security companies worldwide, including about 10 based in China. A subset of these organizations received the proof-of-concept code that could be used to attack Microsoft’s systems in a notification that contained technical details regarding unpatched flaws in Exchange, per the Journal. A Microsoft spokesperson declined the Journal’s request for comment on whether any Chinese companies were included in this subset.
The spokesperson went on to say that Microsoft has seen “no indications” of a leak from inside the company, but if its internal investigation finds that any MAPP partners are implicated in the hack, there would be consequences.
“If it turns out that a MAPP partner was the source of a leak, they would face consequences for breaking the terms of participation in the program,” he told the Journal.
Microsoft previously kicked Hangzhou DPTech Technologies, a security software provider based in China, out of its MAPP program in 2012 after finding that the company leaked proof-of-concept code that could be used in a potential cyber attack and thus violated its non-disclosure agreement.
The scope of this massive breach is still being uncovered, but it could potentially let hackers have access to compromised systems for years to come. The rate of cyberattacks is reportedly doubling every few hours as hackers take advantage of these zero-day vulnerabilities to breach servers that haven’t yet been patched, according to the cybersecurity firm Check Point Research. On Friday, Microsoft disclosed that it discovered “a new family of ransomware,” aka malicious software that hijacks a computer or network until the victim forks over a ransom, being used to target unpatched networks.
That same day, the Biden administration underlined the severity of this historic hack and warned the thousands of compromised organizations that they have “hours, not days” to update exposed servers, per CNN. An official told the outlet that the U.S. government is enlisting members of the private sector to help in a multi-agency cybersecurity task force formed in response to the incident.