In the past couple of weeks, several hacking groups—including Chinese government hackers—have been taking advantage of four vulnerabilities to break into Microsoft Exchange email servers, used by thousands of companies all over the world.
On Wednesday, independent security researcher Nguyen Jang published on GitHub a proof-of-concept tool to hack Microsoft Exchange servers that combined two of those vulnerabilities. Essentially, he published code that could be used to hack Microsoft customers, exploiting a bug used by Chinese government hackers—on an open-source platform owned by Microsoft.
Hours later, GitHub, which is owned by Microsoft, took down the hacking tool.
"Github took down it," the researcher told Motherboard in an email. "They just send [sic] me an email."
On Thursday, a GitHub spokesperson confirmed to Motherboard that the company removed the code due to the potential damage it could cause.
"We understand that the publication and distribution of proof of concept exploit code has educational and research value to the security community, and our goal is to balance that benefit with keeping the broader ecosystem safe," the spokesperson said in an email. "In accordance with our Acceptable Use Policies, we disabled the gist following reports that it contains proof of concept code for a recently disclosed vulnerability that is being actively exploited."
Do you have information about the breach of Microsoft Exchange servers or other data breaches? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
Jang said that "it's ok to take down the Proof of Concept," adding that the code he posted wasn't functional out of the box, but required some tweaks. Jang, however, said that his code is "also written from the real PoC, so it will help the real researcher who are looking at this bug."
"The reason of my recent blog post is to warn everyone about the critical of this bug, let them last chance to patch their server before everything go burning!" he said, referring to a Medium post he wrote in Vietnamese.
Three security researchers told The Record that the code published by Jang worked with some adjustments.
On March 2, Microsoft announced that a Chinese hacking group was taking advantage of four zero-day vulnerabilities in Exchange servers. The company urged anyone using Exchange servers to patch as soon as possible. The hackers have broken into at least 30,000 servers in the US, and hundreds of thousands worldwide, according to security reporter Brian Krebs and Wired.
Once Microsoft announced the existence of the vulnerabilities, more hacking groups have piled on.
“Microsoft continues to see multiple actors taking advantage of unpatched systems to attack organizations with on-premises Exchange Server,” the company said in an update on Monday.
Security researchers, including Google's elite hacking team Project Zero, often publish proof-of-concept exploit code to show how a vulnerability could have been abused, with the goal of educating others in the community and sharing knowledge. But in this case, GitHub considered that the existence of Jang's code posed a threat to all the Exchange customers who haven't patched yet.
Subscribe to our cybersecurity podcast CYBER, here.