Microsoft probing whether cyber alert tipped off Chinese hackers
Sign up now: Get ST's newsletters delivered to your inbox
Microsoft is looking into whether a leak from its early alert system led to the widespread exploitation of vulnerabilities in the SharePoint software.
PHOTO: REUTERS
Follow topic:
Microsoft is investigating whether a leak from its early alert system for cyber-security companies allowed Chinese hackers to exploit flaws in its SharePoint service before they were patched, according to people familiar with the matter.
The technology company is looking into whether the programme – designed to give cyber-security experts a chance to fix computer systems before the revelation of new security concerns – led to the widespread exploitation of vulnerabilities in its SharePoint software
A Microsoft spokesperson said in a statement: “As part of our standard process, we’ll review this incident, find areas to improve, and apply those improvements broadly.”
The spokesperson added that partner programmes are an important part of the company’s security response.
The Chinese embassy in Washington referred to comments made by Foreign Affairs Ministry spokesman Guo Jiakun to media earlier this week, opposing hacking activities.
Mr Guo said: “Cyber security is a common challenge faced by all countries and should be addressed jointly through dialogue and cooperation.
“China opposes and fights hacking activities in accordance with the law. At the same time, we oppose smears and attacks against China under the excuse of cyber security issues.”
Microsoft has attributed SharePoint breaches to state-sponsored hackers from China
Members of the 17-year-old programme must prove they are cyber-security vendors and that they do not produce hacking tools such as penetration testing software.
After signing a non-disclosure agreement, they receive information about novel patches to vulnerabilities 24 hours before Microsoft releases them to the public.
A subset of more highly-vetted users receive notifications of an incoming patch five days earlier, according to Microsoft’s Mapp website.
Mr Dustin Childs, head of threat awareness for the Zero Day Initiative at cyber-security company Trend Micro, said Microsoft alerted members of the programme about the vulnerabilities that led to the SharePoint attacks.
“These two bugs were included in the Mapp release,” said Mr Childs, whose company is a Mapp member. “The possibility of a leak has certainly crossed our minds.”
He adds that such a leak would be a dire threat to the programme, “even though I still think Mapp has a lot of value”.
Victims of the attacks now total more than 400 government agencies and corporations worldwide, including the US’ National Nuclear Security Administration, the division responsible for designing and maintaining the country’s nuclear weapons.
For at least some of the attacks, Microsoft has blamed Linen Typhoon and Violet Typhoon, groups sponsored by the Chinese government, as well as another China-based group it calls Storm-2603.
In response to the allegations, the Chinese Embassy has said it opposes all forms of cyber attacks, while also objecting to “smearing others without solid evidence”.
Mr Dinh Ho Anh Khoa, a researcher who works for the Vietnamese cyber-security firm Viettel, revealed that SharePoint had unknown vulnerabilities in May at Pwn2Own, a conference in Berlin run by Mr Childs’ organisation where hackers sit on stage and search for critical security vulnerabilities in front of a live audience.
Mr Childs said that after the public demonstration and celebration, Mr Khoa headed to a private room with Mr Childs and a Microsoft representative.
Mr Khoa explained the exploit in detail and handed over a full white paper.
Microsoft validated the research and immediately began working on a fix.
Mr Khoa won US$100,000 (S$128,160) for the work.
It took Microsoft about 60 days to come up with a fix.
On July 7, the day before it released a patch publicly, hackers attacked SharePoint servers, cyber-security researchers said.
Mr Child said it is possible that hackers found the bugs independently and began exploiting them on the same day that Microsoft shared them with Mapp members.
But he adds that this would be an incredible coincidence. The other obvious possibility is that someone shared the information with the attackers.
Mr Jim Walter, senior threat researcher at cyber firm SentinelOne, said the leak of news of a pending patch would be a substantial security failure, but “it has happened before”.
Mapp has been the source of alleged leaks as far back as 2012, when Microsoft accused the Hangzhou DPtech Technologies, a Chinese network security company, of disclosing information that exposed a major vulnerability in Windows.
Hangzhou DPtech was removed from the Mapp group.
At the time, a Microsoft representative said in a statement that it had also “strengthened existing controls and took actions to better protect our information”.
In 2021, Microsoft suspected at least two other Chinese Mapp partners of leaking information about vulnerabilities in its Exchange servers, leading to a global hacking campaign
It was one of the company’s worst breaches ever – tens of thousands of exchange servers were hacked, including at the European Banking Authority and the Norwegian Parliament.
Following the 2021 incident, the company considered revising the Mapp programme, Bloomberg previously reported.
But it did not disclose whether any changes were ultimately made or whether any leaks were discovered.
According to an Atlantic Council report, a 2021 Chinese law mandates that any company or security researcher who identifies a security vulnerability must report it within 48 hours to the government’s Ministry of Industry and Information Technology.
Some of the Chinese companies that remain involved in Mapp, such as Beijing CyberKunlun Technology, are also members of a Chinese government vulnerabilities programme, the China National Vulnerability Database, which is operated by the country’s Ministry of State Security, according to Chinese government websites.
Mr Eugenio Benincasa, a researcher at ETH Zurich’s Centre for Security Studies, said there is a lack of transparency about how Chinese companies balance their commitments to safeguard vulnerabilities shared by Microsoft with requirements that they share information with the Chinese government.
“We know that some of these companies collaborate with state security agencies and that the vulnerability management system is highly centralised,” said Mr Benincasa.
“This is definitely an area that warrants closer scrutiny.” BLOOMBERG
