Microsoft is reportedly investigating whether malicious actors behind a large-scale Microsoft Exchange attack could have obtained a “proof of concept” exploit code that the tech giant distributed on February 23 to its security partners through its Microsoft Active Protections Program (MAPP), The Wall Street Journal reported.
On March 2, Microsoft released emergency updates to address a number of Microsoft Exchange vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) that were exploited in real-world attacks. The company attributed the attacks to the China-linked hacker group Hafnium, however, not long after the disclosure the cybersecurity firm ESET said that at least ten state-sponsored threat groups are exploiting these flaws in their campaigns.
According to WSJ, Microsoft had shared some threat information about the vulnerabilities with security partners prior to March 2 and now is trying to determine whether “a Microsoft partner with whom it shared information about the bug hackers were exploiting leaked it to other groups, either inadvertently or on purpose,” according to people familiar with the matter.
PoC code was provided to antivirus and other cybersecurity firms on February 23, before patch release, to give partner companies information in advance. However, it appears that some of the tools used in following attacks have "similarities" to the PoC exploit shared by Microsoft. The company planned to release its security fixes two weeks later, on March 9, but after the second wave began it rolled out the patches a week early, on March 2, according to the publication.
The Microsoft Active Protections Program includes nearly 80 organizations, 10 of which are located in China.
According to Microsoft, as of March 12, nearly 82,000 Exchange servers are still remain unpatched.