GitHub blocked repository demonstrating ProxyLogon vulnerability in Microsoft Exchange
According to Record, on March 10, 2021, GitHub blocked the repository of Vietnamese researcher Nguyen Jang with a working demonstration of using the ProxyLogon vulnerability chain (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 ) in Microsoft Exchange. The blocking was made almost immediately after the content was published on the service.
An expert from the MalwareTech cybersecurity team confirmed the availability of the available Hafnium Exchange RCE Exploit and even launched an exploit after some modifications at his booth.
Several proof-of-concept (PoC) exploits for ProxyLogon have been published on GitHub over the past few days, however, most of them were trolling attempts or did not have all the necessary capabilities for a full-fledged hack - they could not be used to get the Microsoft Exchange server remotely execution of arbitrary code.
The first working exploit was published on GitHub after information security company Praetorian published a detailed overview of the vulnerabilities in the ProxyLogin chain, but refrained from publishing a working PoC.
According to Record, many cybersecurity researchers fear that the published exploit prototype could speed up the development of a working PoC. This can lead to a sharp expansion of the front of the current attack, as more attackers will join it. Now at least 10 different hacker groups from all over the world are using the ProxyLogon vulnerability.
Notably, the fast repository lockdown did not surprise experts, as developer Nguyen Jang posted code that could be used to hack Microsoft customers by exploiting bugs in Microsoft software on an open source platform owned by Microsoft.
A GitHub spokesperson confirmed that the company removed the code due to the potential damage it could cause.
GitHub clarified that publishing and distributing the code that validates the conceptual exploit, while providing educational and research value to the security community, runs counter to the service's goal of balancing this advantage with providing security for the broader ecosystem. The platform clarified that the Jang repository was blocked in accordance with the service policy, which does not allow the distribution of even conceptual code for a recently discovered vulnerability, which is now actively exploited.
Jang explained that he agrees with the GitHub rules and that it's okay (a copy of his codeavailable on other sites) that the service removed its code, which was written on the basis of this PoC, to which, in any case, many information security researchers will still have access. And the reason he published the exploit on GitHub is to warn all developers about the critical situation and give them one last chance to fix their mail servers before they lose data.
However, many developers, after removing the Jang repository with a working exploit, accused Microsoft of censoring content of vital interest to the security community as it harms Microsoft's interests.
TrustedSec founder Dave Kennedy tweeted that he was shocked by this decision by Microsoft and Github.
Tavis Ormandy , a member of the Google Project Zero research group , said that it is impossible to share research and tools with professionals without sharing it with cybercriminals, but many information security professionals believe that the benefits outweigh the risks.
Some cybersecurity researchers told Ars Technica that Github uses double standards. For example, the service allows the publication of code with PoC to fix vulnerabilities affecting the software of other organizations, but the platform promptly removes any such code that affects the security of Microsoft products.
On March 2, Microsoft announcedabout the massive use of 0-day vulnerabilities on Microsoft Exchange Server mail servers in order to steal important data and gain remote control. The company promptly published the necessary patches against them. At the first stage of hacking, attackers gain access to Microsoft Exchange Server using previously compromised credentials or by exploiting 0-day vulnerabilities. Then a Web Shell is created on the server for remote control, after which the attack continues to evolve and corporate data theft continues.
March 6, 2021 Microsoft updated the Safety Scanner utility... The latest version of the Microsoft Support Emergency Response Tool (MSERT) standalone security tool can detect malicious Web Shells installed by hackers inside company mail servers as part of an ongoing attack on unpatched Exchange Server 2013/2016/2019) throughout the world.
On March 7, Microsoft posted a script on GitHub to verify that Exchange servers were hacked and asks system administrators to test their corporate mail servers for hacking after the recently discovered ProxyLogon chain of vulnerabilities.
Bloomberg reportedthat serious vulnerabilities in Microsoft's mail server software could create a global IT security crisis as hackers continue to infect servers around the world and Microsoft fails to protect its customers. Moreover, currently only 10% of working systems are patched to the latest versions.In
October 2018, Microsoft bought GitHub for $ 7.5 billion. Currently, GitHub continues its open policy aimed at supporting all developers, regardless of the platform used or programming language. Now 60 million developers use the service.