Github
Github started a firestorm after Microsoft’s proprietary code-sharing repository removed a proof-of-concept exploit for critical vulnerabilities in Microsoft Exchange that led to around 100,000 server infections in the past few weeks.
ProxyLogon is the name that the researchers gave the four vulnerabilities of Exchange under attack in freedom and the code that exploits them. The researchers say that Hafnium, a state-sponsored group of hackers based in China, started exploring ProxyLogon in January, and within a few weeks, five other APTs – short for advanced persistent threat groups – followed suit. To date, no fewer than 10 APTs have used ProxyLogon to target servers around the world.
Microsoft released emergency patches last week, but as of Tuesday, about 125,000 Exchange servers have not yet installed it, security firm Palo Alto Networks said. The FBI and the Cyber Security and Infrastructure Agency have warned that ProxyLogon poses a serious threat to companies, nonprofits and government agencies that remain vulnerable.
On Wednesday, a researcher published what is believed to be the first fully functional proof of concept (PoC) exploitation for vulnerabilities. Based in Vietnam, the researcher also published a post on Medium describing how the exploit works. With a few tweaks, hackers would have most of what they needed to launch their own CERs in-the-wild, security speaking for remote code execution exploits.
Publishing PoC exploits for fixed vulnerabilities is standard practice among security researchers. It helps them understand how attacks work so they can build better defenses. The open source hacking framework Metasploit provides all the tools needed to exploit tens of thousands of patched exploits and is used by black hats and white hats.
A few hours after the PoC went live, however, Github removed it. On Thursday, some researchers were furious about the fall. Critics accused Microsoft of censoring content of vital interest to the security community because it hurt Microsoft’s interests. Some critics have promised to remove large parts of their work on Github in response.
“Wow, I’m completely speechless here,” Dave Kennedy, founder of the security firm TrustedSec, wrote on twitter. “Microsoft really removed the PoC code from Github. This is huge, removing a security researcher’s code from GitHub against its own product and it has already been fixed. “
Wow, I’m completely speechless here.
Microsoft actually removed the PoC code from Github.
This is huge, removing a code from security researchers from GitHub against its own product that has already been fixed.
This is not a good thing. https://t.co/yqO7sebCSU
– Dave Kennedy (@HackingDave) March 11, 2021
TrustedSec is one of numerous security companies that has been overwhelmed by desperate calls from organizations hit by ProxyLogon. Many of Kennedy’s colleagues agreed with his feelings.
“Is there a benefit to metasploit, or are literally everyone using it a kiddie script?” said Tavis Ormandy, a member of Google’s Project Zero, a vulnerability research group that publishes PoCs regularly almost immediately after a patch is available. “It is a pity that there is no way to share research and tools with professionals without also sharing it with attackers, but many people (like me) believe that the benefits outweigh the risks.
Is there a benefit to metasploit, or is literally everyone using it a kiddie script? It is a pity that there is no way to share research and tools with professionals without also sharing it with attackers, but many people (like me) believe that the benefits outweigh the risks.
– Tavis Ormandy (@taviso) March 11, 2021
Some researchers claimed that Github had a double standard that allowed PoC code for fixed vulnerabilities that affected other organizations’ software, but removed them for Microsoft products. Microsoft declined to comment, and Github did not respond to an email asking for comment.
A divergent view
Marcus Hutchins, a security researcher at Kryptos Logic, dismissed these criticisms. He said that Github actually removed PoCs for fixed vulnerabilities that affect non-Microsoft software. He also advocated that Github remove the Exchange exploit.
“I’ve seen Github remove malicious code before, and not just code aimed at Microsoft products,” he told me in a direct message. “I very much doubt that the MS played any role in the removal and simply conflicted with Github’s ‘active malware or exploits’ policy on [terms of service], due to the extremely recent exploit and the large number of servers at imminent risk of ransomware. “
Responding to Kennedy on Twitter, Hutchins added, “‘It has been corrected.’ Dude, there are more than 50,000 unpatched exchange servers out there. Launching a fully ready to use RCE chain is not security research, it is reckless and stupid. ”
“It has been corrected”. Dude, there are more than 50,000 unpatched exchange servers out there. Releasing a complete and ready-to-use RCE chain is not safety research, it is recklessness and stupidity.
– MalwareTech (@MalwareTechBlog) March 11, 2021
A post published by Motherboard provided a statement from Github that confirmed Hutchins’ assumption that the PoC was removed for violating Github’s terms of service. The statement said:
We understand that publishing and distributing the proof of concept exploit code has educational and research value for the security community, and our goal is to balance that benefit by keeping the broader ecosystem secure. In accordance with our Acceptable Use Policies, we have disabled the essence of the reports that it contains a proof of concept code for a recently disclosed vulnerability that is being actively exploited.
PoC removed from Github remains available on archival sites. Ars is not connecting to him or Medium’s post until more servers are fixed.