UPDATED 16:15 EDT / MARCH 12 2021


Report: Microsoft looking into whether leaked data was used in Exchange hacks

Microsoft Corp. is looking into the possibility that the recent cyberattacks against Exchange Server email servers employed data leaked from its systems or those of its partners, the Wall Street Journal reported today.

Exchange Server is a Microsoft-developed email and calendar platform popular in enterprises. At the beginning of March, the company revealed that hackers have been using previously unknown “zero-day” flaws in the platform to launch cyberattacks against customers. Tom Burt, Microsoft’s corporate vice president for customer security and trust, attributed the cyberattacks to a China-based hacking group the company is calling Hafnium.

The key context behind Microsoft’s reported leak investigation is the timing of the hacking campaign. According to the Journal’s sources, the attacks began in early January and widened in late February just as Microsoft was preparing to release software fixes for the Exchange vulnerabilities.

The second series of attacks is believed to have begun around Feb. 28. According to today’s report, multiple security firms have determined that the campaign employed hacking tools similar to proof-of-concept attack code Microsoft sent out to partners the week before to help them address the threat. The company released patches for the vulnerabilities a few days later, on March 2. 

It appears Microsoft is seeking to determine whether the code shared with partners may have found its way to the hackers. As part of its investigation, the company is said to be looking into the Microsoft Active Protections Program through which it shares information on vulnerabilities with firms such as antivirus providers. A notification sent out to some of the participants in the program on Feb. 23 reportedly included the proof-of-concept attack code.

The Exchange Server vulnerabilities were found in versions of the platform dating back to the 2010 edition. They allow hackers to gain access to a company’s Exchange Server installation and set up a malicious program known as a web shell in the compromised deployment that they can be used to steal emails remotely.

A separate Wall Street Journal report last week stated that it’s believed as many as 250,000 or more Microsoft customers may have been targeted. Researchers have determined that at least 10 hacking groups are now exploiting the vulnerabilities to launch hacking campaigns, including ransomware attacks.

Photo: efes/Pixabay

Since you’re here …

Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!

Support our mission:    >>>>>>  SUBSCRIBE NOW >>>>>>  to our YouTube channel.

… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.