Github has ignited a firestorm after the Microsoft-owned code-sharing repository removed a proof-of-concept exploit for critical vulnerabilities in Microsoft Exchange that have led to as many as 100,000 server infections in recent weeks.
ProxyLogon is the name that researchers have given both to the four Exchange vulnerabilities under attack in the wild and the code that exploits them. Researchers say that Hafnium, a state-sponsored hacking group based in China, started exploiting ProxyLogon in January, and within a few weeks, five other APTs—short for advanced persistent threat groups—followed suit. To date, no fewer than 10 APTs have used ProxyLogon to target servers around the world.
Microsoft issued emergency patches last week, but as of Tuesday, an estimated 125,000 Exchange servers had yet to install it, security firm Palo Alto Networks said. The FBI and the Cybersecurity and Infrastructure Security Agency have warned that ProxyLogon poses a serious threat to businesses, nonprofits, and government agencies that remain vulnerable.
On Wednesday, a researcher published what’s believed to be the first largely working proof-of-concept (PoC) exploit for the vulnerabilities. Based in Vietnam, the researcher also published a post on Medium describing how the exploit works. With a few tweaks, hackers would have most of what they needed to launch their own in-the-wild RCEs, security speak for remote code execution exploits.
Publishing PoC exploits for patched vulnerabilities is a standard practice among security researchers. It helps them understand how the attacks work so that they can build better defenses. The open source Metasploit hacking framework provides all the tools needed to exploit tens of thousands of patched exploits and is used by black hats and white hats alike.
Within hours of the PoC going live, however, Github removed it. By Thursday, some researchers were fuming about the takedown. Critics accused Microsoft of censoring content of vital interest to the security community because it harmed Microsoft interests. Some critics pledged to remove large bodies of their work on Github in response.
“Wow, I am completely speechless here,” Dave Kennedy, founder of security firm TrustedSec, wrote on Twitter. “Microsoft really did remove the PoC code from Github. This is huge, removing a security researcher's code from GitHub against their own product and which has already been patched.”