Microsoft Investigates Potential SharePoint Security Breach
Microsoft is currently investigating a potential leak within its early alert system for cybersecurity companies. This investigation aims to determine if Chinese hackers were able to exploit vulnerabilities in Microsoft’s SharePoint service before official patches were released. The core question is whether the Microsoft Active Protections Program (MAPP), intended to provide early warnings to cybersecurity experts, inadvertently facilitated the widespread exploitation of SharePoint vulnerabilities.
The MAPP Program and Potential Leak
The MAPP program, a 17-year-old initiative, grants members access to information about upcoming security patches 24 hours before their public release. A select group of highly vetted users receives notifications five days in advance. To participate, companies must demonstrate they are cybersecurity vendors and do not create hacking tools. They also sign a non-disclosure agreement.
Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, confirmed that the vulnerabilities exploited in the SharePoint attacks were included in a MAPP release. This raises concerns about a potential leak, which Childs believes would be a significant blow to the program, despite its overall value.
Global Impact and Attribution
The attacks have impacted over 400 government agencies and corporations globally, including the US National Nuclear Security Administration. Microsoft has attributed some of these attacks to Chinese state-sponsored hacking groups, including Linen Typhoon, Violet Typhoon, and Storm-2603. The Chinese Embassy has responded by stating its opposition to all forms of cyberattacks and objecting to accusations made without solid evidence.
The Timeline of Events
In May, Dinh Ho Anh Khoa, a researcher from Viettel, revealed previously unknown SharePoint vulnerabilities at the Pwn2Own conference in Berlin. He demonstrated the exploit and provided a detailed white paper to Microsoft. Microsoft validated the research and began working on a fix, awarding Khoa $100,000 for his discovery.
It took Microsoft approximately 60 days to develop a patch. On July 7, one day before the public release of the patch, hackers began attacking SharePoint servers. While it’s possible the hackers discovered the vulnerabilities independently, the timing raises suspicions of a leak from the MAPP program.
Previous Incidents and Chinese Regulations
This isn’t the first time the MAPP program has faced allegations of leaks. In 2012, Microsoft accused Hangzhou DPtech Technologies Co. of disclosing information about a major Windows vulnerability. In 2021, Microsoft suspected two other Chinese MAPP partners of leaking information about Exchange server vulnerabilities, leading to a massive global hacking campaign attributed to the Chinese espionage group Hafnium.
Furthermore, a 2021 Chinese law mandates that any company or security researcher identifying a vulnerability must report it to the government within 48 hours. Some Chinese companies in MAPP also participate in the China National Vulnerability Database, operated by the Ministry of State Security, raising concerns about potential conflicts of interest.
The Need for Transparency
Eugenio Benincasa, a researcher at ETH Zurich’s Center for Security Studies, highlights the lack of transparency regarding how Chinese companies balance their obligations to Microsoft with their requirements to share information with the Chinese government. This area, he argues, requires closer scrutiny.
Potential Implications of a MAPP Leak
- Erosion of trust in Microsoft’s security programs.
- Increased vulnerability of organizations relying on Microsoft products.
- Strengthening of Chinese cyber capabilities.
- Need for enhanced security protocols and transparency in vulnerability disclosure.
Microsoft’s Response
Microsoft has stated that it will review the incident and identify areas for improvement. The company emphasizes that partner programs are a crucial component of its security response. However, the investigation’s outcome will determine the future of the MAPP program and the measures taken to prevent future leaks.
| Vulnerability | Discovered By | Date Discovered | Patch Release Date | Exploitation Start Date |
|---|---|---|---|---|
| SharePoint Flaw | Dinh Ho Anh Khoa | May 2024 | July 8, 2024 | July 7, 2024 |
The Bigger Picture: Cybersecurity and Geopolitics
This incident underscores the complex interplay between cybersecurity and geopolitics. The involvement of state-sponsored hackers, the potential for vulnerabilities to be exploited for strategic advantage, and the challenges of international cooperation in cybersecurity all contribute to a volatile landscape.
Key Takeaways:
- The investigation into the potential MAPP leak is ongoing.
- The incident highlights the risks associated with early vulnerability disclosure programs.
- Transparency and trust are essential for effective cybersecurity collaboration.
- Geopolitical tensions can complicate cybersecurity efforts.
