Is there a link between Microsoft Exchange exploits and PoC code the company shared with partner security firms?

Pierluigi Paganini March 16, 2021

Microsoft is reportedly investigating whether the recent attacks against Microsoft Exchange servers could be linked to information leaked by a partner security firm.

According to a report published by The Wall Street Journal, Microsoft is investigating whether the threat actors behind the recent wave of attacks on Microsoft Exchange servers worldwide may have obtained sensitive information to launch the attack from a partner security firm.

The information may have been obtained through “private disclosures it [Microsoft] made with some of its security partners.”

On March 2nd, Microsoft released emergency out-of-band security updates that address four zero-day issues (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) in all supported MS Exchange versions that are actively exploited in the wild.

The IT giant reported that at least one China linked APT group, tracked as HAFNIUM, chained these vulnerabilities to access on-premises Exchange servers to access email accounts, and install backdoors to maintain access to victim environments.

According to Microsoft, the Hafnium APT exploited these vulnerabilities in targeted attacks against US organizations. The group historically launched cyber espionage campaigns aimed at US-based organizations in multiple industries, including law firms and infectious disease researchers.

In past campaigns, HAFNIUM attackers also interacted with victim Office 365 tenants. 

Microsoft is aware that the attacks began in early January, before the company was able to address it with the release of security updates. Some China-linked APT groups obtained the exploit code to target Microsoft Exchange email servers worldwide.

“Microsoft Corp. is investigating whether the hackers behind a world-wide cyberattack may have obtained sensitive information necessary to launch the attack from private disclosures it made with some of its security partners, according to people familiar with the matter.” reads the article published by The Wall Street Journal. “Investigators have focused on whether a Microsoft partner with whom it shared information about the bug hackers were exploiting leaked it to other groups, either inadvertently or on purpose, the people said.”

On March 2, Microsoft issued emergency patches to tackle four zero-day vulnerabilities in Microsoft Exchange Server which were being actively exploited in the wild. 

The vulnerabilities were privately disclosed in January, but evidently, someone contained the information about the flaws and started exploiting them in the wild.

Microsoft suspects that the code used in the attacks was obtained from the PoC code it has privately sent to partners of the Microsoft Active Protections Program (Mapp), it is not clear whether it was deliberately or accidentally leaked. 

PoC exploit code was sent to partner cybersecurity firms and antivirus on February 23, prior Redmond giant released the patches. Experts noticed that the exploit code used in the attacks in the wild was similar to the PoC shared by Microsoft.

“Some of the tools used in the second wave of the attack, which is believed to have begun on Feb. 28, bear similarities to “proof of concept” attack code that Microsoft distributed to antivirus companies and other security partners on Feb. 23, investigators at security companies say.” continues the WSJ.

Mapp includes about 80 security companies worldwide, 10 of which are based in China. Some of the Mapp partners received the PoC code on February 23, according to sources familiar with the program. At the time of this writing, Microsoft has yet to confirm whether any Chinese companies received the code.

It is not the first time that such kind of leak has happened, in May 2012, Microsoft cut off Hangzhou DPtech Technologies Co. Ltd., a MAPP partner company based in China, for leaking data related to CVE-2012-0002.

The investigation is still ongoing, but the public availability of multiple PoC exploits is causing a surge of cyber attacks exploiting ProxyLogon vulnerabilities on a global scale.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Exchange)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment