Microsoft is investigating whether a leak from its early alert system for cybersecurity companies allowed Chinese hackers to exploit flaws in its SharePoint service before they were patched, Bloomberg News reported on Friday (Jul 25).
A security patch Microsoft released this month failed to fully fix a critical flaw in the US tech giant’s SharePoint server software, opening the door to a sweeping global cyber espionage effort.
In a blog post on Tuesday, Microsoft said two allegedly Chinese hacking groups, dubbed “Linen Typhoon” and “Violet Typhoon”, were exploiting the weaknesses, along with a third, also based in China.
The tech giant is probing if a leak from the Microsoft Active Protections Program (MAPP) led to the widespread exploitation of vulnerabilities in its SharePoint software globally over the past several days, the report said.
Microsoft said in a statement provided to Reuters that the company continually evaluates “the efficacy and security of all of our partner programs and makes the necessary improvements as needed”.
A researcher with Vietnamese cybersecurity firm Viettel demonstrated the SharePoint vulnerability in May at the Pwn2Own cybersecurity conference in Berlin. The conference, put on by cybersecurity company Trend Micro’s Zero Day Initiative, rewards researchers in the pursuit of ethically disclosing software vulnerabilities.
The researcher, Dinh Ho Anh Khoa, was awarded US$100,000 and Microsoft issued an initial patch for the vulnerability in July, but members of the MAPP program were notified of the vulnerabilities on Jun 24, Jul 3 and Jul 7, Dustin Childs, head of threat awareness for the Zero Day Initiative at Trend Micro, told Reuters Friday.
Microsoft first observed exploit attempts on Jul 7, the company said in the Tuesday blog post.
Childs told Reuters that “the likeliest scenario is that someone in the MAPP program used that information to create the exploits”.
It’s not clear which vendor was responsible, Childs said, “but since many of the exploit attempts come from China, it seems reasonable to speculate it was a company in that region”.
It would not be the first time that a leak from the MAPP program led to a security breach. More than a decade ago, Microsoft accused a Chinese firm, Hangzhou DPTech Technologies, of breaching its non-disclosure agreement and expelled it from the program.
“We recognise that there is the potential for vulnerability information to be misused,” Microsoft said in a 2012 blog post, around the time that information first leaked from the program. “In order to limit this as much as possible, we have strong non-disclosure agreements (NDA) with our partners. Microsoft takes breaches of its NDAs very seriously.“
Any confirmed leak from MAPP would be a blow to the program, which is meant to give cyber defenders the upper hand against hackers who race to parse Microsoft updates for clues on how to develop malicious software that can be used against still-vulnerable users.
Launched in 2008, MAPP was meant to give trusted security vendors a head start against the hackers, for example, by supplying them with detailed technical information and, in some cases, “proof of concept” software that mimics the operation of genuine malware.
