Photographer: Chris Ratcliffe / Bloomberg
Photographer: Chris Ratcliffe / Bloomberg
Microsoft Corp. is investigating whether hackers who attacked the email system took advantage of the findings of Taiwanese researchers who first informed the software company of the vulnerabilities, a person familiar with the investigation said.
DEVCORE, a small company based in Taipei City that specializes in detecting computer security flaws, said in December that it had found bugs affecting Microsoft’s widely used Exchange business email software. At the end of February, Microsoft announced to DEVCORE that it was about to release security patches to fix the problem.
In the days after Microsoft revealed its still-secret patch to DEVCORE, attackers escalated their malicious activities on networks using Exchange servers connected to the Internet, researchers from From Palo Alto Networks Inc.
Microsoft is investigating whether the information it shared with partners in some way triggered the attack, Bloomberg News reported. The company has focused some of its research on understanding whether DEVCORE may have been compromised, or somehow tipped off attackers that the patch was in the pipeline, valuable information for hackers looking to time their attack to gauge its impact. maximize, said the person. , who asked not to be identified because details of the probe have not been made public.
A Microsoft spokesperson confirmed the investigation, but did not comment on whether DEVCORE’s role is under scrutiny.
“We are looking at the cause of the spike in malicious activity and have not yet drawn any conclusions,” said the spokesman. “We have not seen any evidence of a leak at Microsoft in connection with this attack.”
Bowen Hsu, senior project manager at DEVCORE, said in an email that the company has found no signs of security breaches.
“DEVCORE immediately initiated an internal investigation on March 3 to verify whether the team was hacked or if information was leaked from our side,” said Hsu. “We have had a thorough investigation of all personal computers / devices owned by our employees, as well as our internal infrastructure and systems; there was no sign of any of those devices and our systems being hacked. We also examined our internal system and found no unusual login attempts or file access. “
Some of the flaws have since been exploited by suspected Chinese state-sponsored hackers and other unknown cyber-espionage groups, who breached more than 60,000 servers worldwide in one of the largest and most damaging hacks in recent memory. In some cases, it is targeted by victims who still have not installed the Microsoft patch ransomware.
According to DEVCORE, the researchers discovered two security flaws in exchange servers from December 10 to December 30 and used them to create a proof of concept “exploit” that could be used to hack into the servers and access them secretly. to emails. The company announced its discovery to Microsoft on January 5, and Microsoft began work on a patch to fix the problem.
But on January 3 – two days before disclosing to Microsoft – hackers began using one of the same security flaws discovered by DEVCORE to access exchange servers and steal emails, according to researchers at Virginia-based cybersecurity company Volexity.
At the end of February, Microsoft announced to DEVCORE that it was almost ready to release the security patches. On the same day, there was an increase in hacker activity, according to security researchers at Palo Alto Networks Inc. The Palo Alto Networks researchers assessed the code of the malware that the hackers used to breach Microsoft Exchange servers and made a curious discovery. Some types of malware contain the password ‘orange’.
The researcher at DEVCORE who first discovered security flaws in the exchange servers is called Orange Tsai. On Twitter, Tsai pointed out that the exploit used during the February attacks “looks the same” as the one he created as proof of concept and that DEVCORE reported to Microsoft. He said he hard-coded the password ‘orange’ into the malware.
The discoveries made by Palo Alto Networks and Volexity troubled DEVCORE researchers, as the findings indicate that the DEVCORE investigation was secretly obtained by the hackers, according to a person familiar with the case.
Matthieu Faou, a malware researcher with the European cybersecurity company ESET, said it hackers may have independently found the same vulnerabilities in Microsoft Exchange. The other most likely scenario, he added, was that the hackers “somehow obtained the information from DEVCORE or from a Microsoft partner.”
Updates with new DEVCORE statement starting in the seventh paragraph