
Photographer: Chris Ratcliffe / Bloomberg
Photographer: Chris Ratcliffe / Bloomberg
Microsoft Corp. is investigating whether the hackers who attacked its email system exploited the findings of Taiwanese researchers who were the first to alert the software company about the vulnerabilities, according to a person familiar with the investigation.
DEVCORE, a small Taipei-based company that specializes in discovering computer security holes, said in December that it found bugs that affect Microsoft’s widely used Exchange business email software. Then, in late February, Microsoft notified DEVCORE that it was close to releasing security patches to fix the problem.
In the days after Microsoft released its still-secret patch for DEVCORE, attackers scaled its malicious activity on networks using Internet-connected Exchange servers, according to researchers at Palo Alto Networks Inc.
Microsoft is exploring whether the intelligence shared with partners may have somehow triggered the attack, Bloomberg News reported. The company focused part of its investigation on understanding whether DEVCORE may have been compromised, or somehow alerted attackers that the patch was in preparation, valuable intelligence for hackers looking to time their attack to maximize its impact, according to the person, who asked not to be identified because the details of the investigation were not made public.
A Microsoft spokesman confirmed the investigation, but declined to comment on whether DEVCORE’s role is under scrutiny.
“We are looking at what may have caused the increase in malicious activity and we have not yet reached any conclusions,” said the spokesman. “We saw no indication of a Microsoft leak related to this attack.”
Bowen Hsu, senior project manager at DEVCORE, said in an email that the company found no signs that its security was breached.
“DEVCORE immediately launched an internal investigation on March 3 to see if the team was hacked or if any information was leaked from us,” said Hsu. “We did a thorough investigation among all of our employees’ personal computers / devices, as well as our infrastructure and internal systems; there was no sign that any of these devices and our systems were hacked. In addition, we investigated our internal system and found no attempts to login or access unusual files. “
Some of the flaws were exploited by suspected Chinese state-sponsored hackers and other unknown cyber espionage groups, who breached more than 60,000 servers worldwide in one of the biggest and most damaging hacks in recent memory. In some cases, victims who have not yet installed the Microsoft patch have been targeted ransomware.
According to DEVCORE, its researchers discovered two security flaws in exchange servers from December 10 to December 30 and used them to create a proof-of-concept “exploit” that could be deployed to hack into servers and secretly access email. . The company revealed its discovery to Microsoft on January 5, and Microsoft began work on a patch to correct the problem.
But on January 3 – two days before disclosure to Microsoft – hackers started using one of the same security holes discovered by DEVCORE to gain access to switch servers and steal email, according to researchers at Volexity, a Virginia-based cybersecurity company.
In late February, Microsoft notified DEVCORE that it was almost ready to release security patches. On the same day, there was an increase in hacking activity, according to security researchers at Palo Alto Networks Inc. Researchers at Palo Alto Networks reviewed the malware code that hackers were using to breach Microsoft Exchange servers and made a curious discovery. Some strains of the malware contained the password “orange”.
The DEVCORE researcher who first found security holes in the exchange servers is known by the name of Orange Tsai. On Twitter, Tsai pointed out that the exploit used during the February attacks “looks the same” as the one he created as a proof of concept and which DEVCORE reported to Microsoft. He said he encrypted the “orange” password in the malware.
The findings by Palo Alto Networks and Volexity alarmed DEVCORE researchers, as the findings indicate that DEVCORE research was obtained illegally by hackers, according to a person familiar with the matter.
Matthieu Faou, a malware researcher at the European cybersecurity firm ESET, said the hackers may have independently found the same vulnerabilities in Microsoft Exchange. The other most likely scenario, he added, is that hackers “somehow obtained the information from DEVCORE or a Microsoft partner.”
(Updates with the new DEVCORE statement starting in the seventh paragraph)