Sources close to the situation say Microsoft Corp. is looking into whether a breach from its early alert system for cybersecurity firms let Chinese hackers take advantage of vulnerabilities in its SharePoint service before they were fixed.
According to people speaking about private matters who asked not to be named, the tech company is investigating whether the program, which was created to give cybersecurity experts an opportunity to fix computer systems before new security concerns were discovered, contributed to the widespread exploitation of vulnerabilities in its SharePoint software over the past few days worldwide.
“As part of our standard process, we’ll review this incident, find areas to improve, and apply those improvements broadly,” a Microsoft spokesperson said in a statement, adding that partner programs are an important part of the company’s security response.
Guo Jiakun, the spokesman for the foreign affairs ministry, spoke out against hacking earlier this week, according to remarks released to the media by the Chinese embassy in Washington. “Cybersecurity is a common challenge faced by all countries and should be addressed jointly through dialogue and cooperation,” Guo said. “China opposes and fights hacking activities in accordance with the law. At the same time, we oppose smears and attacks against China under the excuse of cybersecurity issues.”
Microsoft has blamed Chinese state-sponsored hackers for the SharePoint hacks, and according to Microsoft’s website, at least a dozen Chinese organizations are part of the Microsoft Active Protections Program, or MAPP. Participants in the 17-year-old program are required to demonstrate that they are cybersecurity providers and do not manufacture hacking tools such as penetration testing software. They sign a non-disclosure agreement and are notified 24 hours before Microsoft makes new fixes available to the public regarding vulnerabilities.
Microsoft’s MAPP site states that a selection of more carefully screened customers get notified five days in advance of an upcoming patch.
According to Dustin Childs, head of threat awareness for Trend Micro’s Zero Day Initiative, Microsoft informed program participants about the flaws that resulted in the SharePoint assaults. “These two bugs were included in the MAPP release,” says Childs, whose company is a MAPP member. “The possibility of a leak has certainly crossed our minds.” He adds that such a leak would be a dire threat to the program, “even though I still think MAPP has a lot of value.”
More than 400 government organizations and businesses throughout the world have already been affected by the attacks, including the US National Nuclear Security Administration, which is in charge of creating and maintaining the nation’s nuclear weapons. Microsoft has accused Chinese government-sponsored organizations Linen Typhoon and Violet Typhoon, together with another China-based entity it names Storm-2603, of being responsible for at least part of the assaults. The Chinese Embassy has responded to the accusations by stating that it is against cyberattacks in all its forms and that it is against “smearing others without solid evidence.”
In May, at Pwn2Own, a conference hosted by Childs’ organization in Berlin where hackers sit on stage and look for critical security flaws in front of a live audience, researcher Dinh Ho Anh Khoa of the Vietnamese cybersecurity company Viettel disclosed that SharePoint had unidentified vulnerabilities. Khoa went to a private room with Childs and a Microsoft official following the public protest and celebration, Childs alleged. Khoa provided a comprehensive white paper and a detailed explanation of the exploit. After confirming the study, Microsoft got to work on a solution. Khoa’s work earned her $100,000.
Microsoft took around sixty days to develop a solution. According to cybersecurity analysts, hackers targeted SharePoint systems on July 7, the day before a fix was made available to the general public.
Childs speculates that hackers could have discovered the vulnerabilities on their own and started taking advantage of them the same day Microsoft distributed them to MAPP members. However, he goes on to say that this would be a remarkable coincidence. Sharing the information with the attackers is the other apparent approach.
The leak of news of a pending patch would be a substantial security failure, but “it has happened before,” says Jim Walter, senior threat researcher the cyber firm SentinelOne.
MAPP has been the subject of purported leaks since 2012, when Microsoft accused a Chinese network security firm called Hangzhou DPtech Technologies Co. of leaking data that revealed a significant Windows vulnerability. DPtech from Hangzhou was kicked out of the MAPP organization. Additionally, Microsoft “strengthened existing controls and took actions to better protect our information,” according to a statement released at the time by a Microsoft spokesman.
Microsoft attributed a worldwide hacking effort in 2021 to a Chinese espionage outfit known as Hafnium after suspecting at least two other Chinese MAPP partners of disclosing knowledge about flaws in its Exchange servers.
Tens of thousands of exchange servers, including those at the Norwegian Parliament and the European Banking Authority, were compromised in one of the company’s worst-ever hacks.
As previously reported by media, the corporation contemplated updating the MAPP program after the 2021 event. However, it made no mention of whether any adjustments were eventually made or whether any leaks were found.
According to an Atlantic Council analysis, a 2021 Chinese law requires any business or security researcher that finds a security flaw to notify the government’s Ministry of Industry and Information Technology of the risk within 48 hours. According to Chinese government websites, some of the Chinese businesses that continue to participate in MAPP, like Beijing CyberKunlun Technology Co Ltd., are also part of the China National Vulnerability Database, a vulnerability program run by the nation’s Ministry of State Security.
There is a lack of openness on how Chinese enterprises strike a balance between their obligations to protect vulnerabilities disclosed by Microsoft and their obligations to provide information with the Chinese government, according to Eugenio Benincasa, a researcher at the Center for Security Studies at ETH Zurich.“We know that some of these companies collaborate with state security agencies and that the vulnerability management system is highly centralized,” says Benincasa. “This is definitely an area that warrants closer scrutiny.”
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter |The Mainstream formerly known as CIO News Whatsapp Channel | The Mainstream formerly known as CIO News Instagram
About us:
The Mainstream formerly known as CIO News is a premier platform dedicated to delivering latest news, updates, and insights from the tech industry. With its strong foundation of intellectual property and thought leadership, the platform is well-positioned to stay ahead of the curve and lead conversations about how technology shapes our world. From its early days as CIO News to its rebranding as The Mainstream on November 28, 2024, it has been expanding its global reach, targeting key markets in the Middle East & Africa, ASEAN, the USA, and the UK. The Mainstream is a vision to put technology at the center of every conversation, inspiring professionals and organizations to embrace the future of tech.
