Microsoft is reportedly considering revisions to a threat and vulnerability sharing program suspected of being a key factor in widespread attacks against Exchange servers.
The Microsoft Active Protections Program (MAPP) is a program for security software providers and partners which gives participants early access to vulnerability and threat intelligence.
MAPP, which includes 81 organizations, was intended to give other companies the chance to develop strategies and to deploy necessary protections before vulnerabilities are made public.
“MAPP partners receive advance security vulnerability information for those vulnerabilities slated to be addressed in Microsoft’s regularly scheduled monthly security update releases,” the company says. “This information is provided as a package of documents that outline what Microsoft knows about the vulnerabilities. This includes the steps used to reproduce the vulnerability as well as the steps used to detect the issue. Periodically, Microsoft might also provide proof-of-concept or tools to further illuminate the issue and help with additional protection enhancement.”
However, MAPP has recently come under scrutiny as the potential source of a leak of exploit code — either accidentally or deliberately — later weaponized during the Microsoft Exchange Server incident.
Microsoft issued emergency patches for the now-infamous four critical zero-day bugs (“ProxyLogon”) in Exchange on March 2.
See also: Everything you need to know about the Microsoft Exchange Server hack
According to six people close to the matter, as reported by Bloomberg, Microsoft is considering revisions to the program that could alter how and when information concerning vulnerabilities in the vendor’s products are shared.
The publication says that Microsoft fears participants may have “tipped off” threat actors after critical Exchange Server vulnerabilities were shared with partners privately in February. At least two Chinese companies are involved in the probe.
At the time, reports suggested that Proof-of-Concept (PoC) code shared with MAPP participants contained “similarities” to exploit code later used in attacks.
MAPP sets out different tiers for participants which determines what information is shared, and when — ranging from weeks ahead of disclosure to days. Potential revisions to the program could include shuffling participants and their level of entry, a reassessment of what Microsoft will share in the future, or potentially the inclusion of code-based ‘watermarks’ that could be used to trace data distribution — and any subsequent leaks.
The company attributed the first wave of attacks against Exchange servers to Hafnium, a Chinese state-sponsored threat group — later joined by at least 10 other advanced persistent threat (APT) groups including LuckyMouse, Tick, and Winnti Group.
It wasn’t long before an estimated 60,000 organizations were compromised, and as of March 12, roughly 82,000 internet-facing servers remained unpatched.
Post-exploit activities include the installation of backdoors, web shells, ransomware deployment, and cryptocurrency miners.
Microsoft declined to comment.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0