Github
Github set fire to a firefight after Microsoft’s code-sharing repository removed evidence of critical vulnerability in Microsoft Exchange, which has led to as many as 100,000 server infections in recent weeks.
ProxyLogon is the name given by researchers to the four Exchange vulnerabilities that are attacked in nature and the code that exploits them. Researchers say Hafnium, a state-sponsored hacking group in China, began exploiting ProxyLogon in January, and within a few weeks, five other APTs – shortly before advanced persistent threat groups – followed suit. To date, no fewer than 10 APTs have used ProxyLogon to target servers around the world.
Microsoft released emergency stickers last week, but as of Tuesday, an estimated 125,000 Exchange servers had to install them, security firm Palo Alto Networks said. The FBI and the Cybersecurity and Infrastructure Security Agency have warned that ProxyLogon poses a serious threat to businesses, non-profit organizations and government agencies that remain vulnerable.
On Wednesday, a researcher published what is believed to be the first highly workable proof-of-concept (PoC) for the vulnerabilities. The Vietnam-based researcher also published a post on Medium describing how exploitation works. With a few tweaks, hackers would have most of the necessities to launch their own native RCEs, and security speaks to the use of external code execution.
Publishing PoC usage for blocked vulnerabilities is a standard practice among security researchers. It helps them understand how the attacks work so they can build better defenses. The open source metasploit burglary framework provides all the necessary tools to exploit tens of thousands of patched exploits and is used by black hats and white hats.
However, Github removed it within hours of making the post available. By Thursday, some researchers were fussing about the removal. Critics have accused Microsoft of censoring content of vital importance to the security community because it harms Microsoft’s interests. Some critics have in response promised to remove much of their work to Github.
“Wow, I’m completely speechless here,” said Dave Kennedy, founder of security firm TrustedSec. wrote on Twitter. ‘Microsoft has really removed the PoC code from Github. It’s big, and removes the code from a security researcher from GitHub against their own product and that has already been patched. ”
Wow, I’m completely speechless here.
Microsoft really removed the PoC code from Github.
It’s big and removes a code for security researchers from GitHub against their own product and that has already been patched.
This is not good. https://t.co/yqO7sebCSU
– Dave Kennedy (@HackingDave) 11 March 2021
TrustedSec is one of countless security firms overwhelmed by desperate calls from organizations affected by ProxyLogon. Many of Kennedy’s peers agree with his sentiments.
“Is there a benefit to metasploit, or is literally everyone who uses it a script kid?” said Tavis Ormandy, a member of Google’s Project Zero, a vulnerability research group that regularly publishes PoCs almost immediately after a patch is available. ‘It’s unfortunate that there is no way to share research and tools with professionals without also sharing it with attackers, but many people (like me) believe that the benefits outweigh the risks.
Is there a benefit to metasploit, or is literally everyone who uses it a kiddie? It is unfortunate that there is no way to share research and tools with professionals without also sharing it with attackers, but many people (like me) believe that the benefits outweigh the risks.
– Tavis Ormandy (@taviso) 11 March 2021
Some researchers claim that Github has a dual standard that allows PoC code for blocked vulnerabilities that affect the software of other organizations, but removes it for Microsoft products. Microsoft declined to comment, and Github did not respond to a request for comment.
A divergent view
Marcus Hutchins, a security researcher at Kryptos Logic, pushed back the critics. He said Github has indeed removed PoCs for blocked vulnerabilities that do not affect Microsoft software. He also made a case for Github to remove the Exchange exploit.
“I’ve seen Github remove malicious code, not just the code targeted at Microsoft products,” he told me in an instant message. ‘I strongly doubt that MS played a role in the removal, and it simply went wrong with Github’s’ Active malware or exploits’ policy in the [terms of service], because the exploitation was extremely recent and the large number of servers with the looming risk of ransomware. ”
Comment on Kennedy on Twitter, Hutchins added, “‘Already patched.’ “Dude, there are more than 50,000 uncontrolled exchange servers out there. The release of a complete RCE chain ready to go is not a security investigation, it’s reckless and stupid.”
“Already patched”. Dude, there’s more than 50,000 unoccupied exchange servers out there. The release of a full RCE chain is not security investigation, it is reckless and stupid.
– MalwareTech (@MalwareTechBlog) 11 March 2021
A report published by Motherboard yields a statement from Github confirming that Hutchins removed the guesswork from the post because it violated Github’s Terms of Service. The statement reads:
We understand that publishing and disseminating evidence of the exploitation code for the safety community has educational and research value, and our goal is to balance the benefit by keeping the broader ecosystem safe. In line with our Acceptable Use Policy, we have eliminated the core of the following reports as containing evidence of draft code for a recently announced vulnerability that is being actively exploited.
The POC removed from Github remains available on archive sites. Ars does not switch to or after the Medium message until more servers are patched.