Microsoft probes clue that hackers cracked Taiwan research
Microsoft Corp. is investigating whether hackers who attacked its email system exploited the findings of Taiwanese researchers who were the first to alert the software company to the vulnerabilities, according to a person familiar with the investigation.
DEVCORE, a small firm based in Taipei City that specializes in discovering computer security flaws, in December said it found bugs affecting Microsoft’s widely used Exchange business email software. Then in late February, Microsoft notified DEVCORE that it was close to releasing security patches to fix the problem.
In the days after Microsoft disclosed its still secret patch to DEVCORE, attackers escalated their malicious activity on networks using Exchange servers connected to the internet, according to researchers at Palo Alto Networks Inc.
Microsoft is exploring if intelligence it shared with partners may have somehow triggered the attack, Bloomberg News reported. The company has focused part of its investigation on understanding if DEVCORE may have been compromised, or in some way tipped off attackers that the patch was in the pipeline, valuable intelligence for hackers seeking to time their attack to maximize its impact, according to the person, who asked not to be identified because details of the probe haven’t been publicly released.
A Microsoft spokesperson confirmed the investigation, but didn’t comment on whether DEVCORE’s role is under scrutiny.
“We are looking at what might have caused the spike of malicious activity and have not yet drawn any conclusions,” said the spokesperson. “We have seen no indications of a leak from Microsoft related to this attack.”
Bowen Hsu, senior project manager at DEVCORE, said in an email that the company “immediately launched an internal investigation and did not find any concern so far.” He declined to elaborate on the scope of the review.
Some of the flaws have since been exploited by suspected Chinese state-sponsored hackers and other unknown cyber-espionage groups, who have breached more than 60,000 servers worldwide in one of the largest and most damaging hacks in recent memory. In some cases, victims who still haven’t installed the Microsoft patch, have been targeted with ransomware.
According to DEVCORE, its researchers discovered two security flaws in exchange servers from Dec. 10 to Dec. 30, and used them to create a proof of concept “exploit” that could be deployed to break into the servers and secretly access emails. The company disclosed its discovery to Microsoft on Jan 5., and Microsoft began working on a patch to fix the problem.
But on Jan. 3 -- two days before the disclosure to Microsoft -- hackers began using one of the same security flaws discovered by DEVCORE to gain access to exchange servers and steal emails, according to researchers at the Virginia-based cybersecurity firm Volexity.
In late February, Microsoft notified DEVCORE that it was nearly ready to release the security patches. The same day, there was an increase in hacker activity, according to security researchers at Palo Alto Networks Inc. The Palo Alto Networks researchers reviewed code of the malware the hackers were using to breach the Microsoft Exchange servers and made a curious discovery. Some strains of the malware contained the password, “orange.”
The researcher at DEVCORE who first found the security flaws in the exchange servers is goes by the name Orange Tsai. On Twitter, Tsai pointed out that the exploit used during the February attacks “looks the same” as the one he created as a proof of concept and that DEVCORE reported to Microsoft. He said he had hard-coded the password “orange” into the malware.
The discoveries by Palo Alto Networks and Volexity alarmed researchers at DEVCORE, because the findings indicate that DEVCORE’s research had been surreptitiously obtained by the hackers, according to a person familiar with the matter.
Matthieu Faou, a malware researcher at European cybersecurity company ESET, said the hackers may have independently found the same vulnerabilities in Microsoft Exchange. The other most likely scenario, he added, was that the hackers “somehow obtained the information from DEVCORE or from a Microsoft partner.”