Microsoft probes clue that hackers cracked Taiwan research

Microsoft is investigating whether hackers who attacked its email system exploited the findings of Taiwanese researchers who were the first to alert the software company to the vulnerabilities, according to a person familiar with the investigation.

DEVCORE, a small firm based in Taipei City that specializes in discovering computer security flaws, in December said it found bugs affecting Microsoft's widely used Exchange business email software. Then in late February, Microsoft notified DEVCORE that it was close to releasing security patches to fix the problem.

In the days after Microsoft disclosed its still-secret patch to DEVCORE, attackers escalated their malicious activity on networks using Exchange servers connected to the internet, according to researchers at Palo Alto Networks Inc.

Microsoft is exploring if intelligence it shared with partners may have somehow triggered the attack, Bloomberg News reported. The company has focused part of its investigation on understanding if DEVCORE may have been compromised, or in some way tipped off attackers that the patch was in the pipeline, valuable intelligence for hackers seeking to time their attack to maximize its impact, according to the person, who asked not to be identified because details of the probe haven't been publicly released.

Also read: Microsoft says ransom-seeking hackers taking advantage of server flaws

A Microsoft spokesperson confirmed the investigation, but didn't comment on whether DEVCORE's role is under scrutiny.

“We are looking at what might have caused the spike of malicious activity and have not yet drawn any conclusions,” said the spokesperson. “We have seen no indications of a leak from Microsoft related to this attack.”

Bowen Hsu, senior project manager at DEVCORE, said in an email that the company has found no signs that its security was breached.

“DEVCORE immediately launched an internal investigation on March 3rd to verify whether the team has been hacked or any information has been leaked from our end,” Hsu said. “We had a thorough investigation among all the personal computers/devices owned by our employees, as well as our internal infrastructure and systems; there was no sign that any of those devices and our systems have been hacked. Also, we have investigated our internal system and found no unusual login attempts or file access.”

Some of the flaws have since been exploited by suspected Chinese state-sponsored hackers and other unknown cyber-espionage groups, who have breached more than 60,000 servers worldwide in one of the largest and most damaging hacks in recent memory. In some cases, victims who still haven't installed the Microsoft patch, have been targeted with ransomware.

According to DEVCORE, its researchers discovered two security flaws in exchange servers from Dec. 10 to Dec. 30, and used them to create a proof of concept “exploit” that could be deployed to break into the servers and secretly access emails. The company disclosed its discovery to Microsoft on Jan 5., and Microsoft began working on a patch to fix the problem.

But on Jan. 3 -- two days before the disclosure to Microsoft -- hackers began using one of the same security flaws discovered by DEVCORE to gain access to exchange servers and steal emails, according to researchers at the Virginia-based cybersecurity firm Volexity.

In late February, Microsoft notified DEVCORE that it was nearly ready to release the security patches. The same day, there was an increase in hacker activity, according to security researchers at Palo Alto Networks Inc. The Palo Alto Networks researchers reviewed code of the malware the hackers were using to breach the Microsoft Exchange servers and made a curious discovery. Some strains of the malware contained the password, “orange.”

Read more: Microsoft says China-linked group targeting Exchange email servers

The researcher at DEVCORE who first found the security flaws in the exchange servers is goes by the name Orange Tsai. On Twitter, Tsai pointed out that the exploit used during the February attacks “looks the same” as the one he created as a proof of concept and that DEVCORE reported to Microsoft. He said he had hard-coded the password “orange” into the malware.

The discoveries by Palo Alto Networks and Volexity alarmed researchers at DEVCORE, because the findings indicate that DEVCORE's research had been surreptitiously obtained by the hackers, according to a person familiar with the matter.

Matthieu Faou, a malware researcher at European cybersecurity company ESET, said the hackers may have independently found the same vulnerabilities in Microsoft Exchange. The other most likely scenario, he added, was that the hackers “somehow obtained the information from DEVCORE or from a Microsoft partner.”