UPDATED 16:15 EDT / MARCH 12 2021


Report: Microsoft looking into whether leaked data was used in Exchange hacks

Microsoft Corp. is looking into the possibility that the recent cyberattacks against Exchange Server email servers employed data leaked from its systems or those of its partners, the Wall Street Journal reported today.

Exchange Server is a Microsoft-developed email and calendar platform popular in enterprises. At the beginning of March, the company revealed that hackers have been using previously unknown “zero-day” flaws in the platform to launch cyberattacks against customers. Tom Burt, Microsoft’s corporate vice president for customer security and trust, attributed the cyberattacks to a China-based hacking group the company is calling Hafnium.

The key context behind Microsoft’s reported leak investigation is the timing of the hacking campaign. According to the Journal’s sources, the attacks began in early January and widened in late February just as Microsoft was preparing to release software fixes for the Exchange vulnerabilities.

The second series of attacks is believed to have begun around Feb. 28. According to today’s report, multiple security firms have determined that the campaign employed hacking tools similar to proof-of-concept attack code Microsoft sent out to partners the week before to help them address the threat. The company released patches for the vulnerabilities a few days later, on March 2. 

It appears Microsoft is seeking to determine whether the code shared with partners may have found its way to the hackers. As part of its investigation, the company is said to be looking into the Microsoft Active Protections Program through which it shares information on vulnerabilities with firms such as antivirus providers. A notification sent out to some of the participants in the program on Feb. 23 reportedly included the proof-of-concept attack code.

The Exchange Server vulnerabilities were found in versions of the platform dating back to the 2010 edition. They allow hackers to gain access to a company’s Exchange Server installation and set up a malicious program known as a web shell in the compromised deployment that they can be used to steal emails remotely.

A separate Wall Street Journal report last week stated that it’s believed as many as 250,000 or more Microsoft customers may have been targeted. Researchers have determined that at least 10 hacking groups are now exploiting the vulnerabilities to launch hacking campaigns, including ransomware attacks.

Photo: efes/Pixabay

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy