Criticized exchange exploit github

criticized exchange exploit github

Nguyen defended the decision by saying it would prompt organizations to patch.

A GitHub spokesperson said it removed the code because it violated the platform’s policy against uploading “active” software exploits.

“We understand that the publication and distribution of proof-of–concept exploit code has educational and research value to the security community, and our goal is to balance that benefit with keeping the broader ecosystem safe,” the GitHub spokesperson said.

“In accordance with our Acceptable Use Policies, we disabled the gist following reports that it contains proof of concept code for a recently disclosed vulnerability that is being actively exploited,” the GitHub statement continued.

But Katie Moussouris, CEO of Luta Security, argued that proof-of-concept exploit code can be the incentive that organizations need to apply software patches.


Other analysts countered that some small organizations do not have the resources to quickly apply those fixes.

The Record first reported on the proof-of-concept exploit code.

The GitHub spokesperson did not respond when asked how long the exploit code was available on the platform.

Some security experts said that it is not a zero-sum issue — that researchers could explore the exploits without going public with them. Matt Graeber, director of research at security firm Red Canary, urged researchers to refrain from releasing exploit code and instead recommend defensive measures based on their knowledge of the exploit.

As debates over security research ethics rage on, so, too, do the compromises of organizations running vulnerable Exchange Server software.


The user who owns token 2 must specifically request that “SwapAndBurn” be approved to take ownership later.

This explicit approval step is necessary because the “SwapAndBurn” contract must be allowed to take an object away from the player and destroy it before issuing the player a new token on “RivalExchange.” The player can verify through inspection of the SwapAndBurn contract that there is no risk to this approval step: there is no way by which the SwapAndBurn contract can take ownership over the player’s object without also issuing them their new “RivalExchange” object.

Approval successful.Requesting a trade on the object with a token ID of 2.Trade successful.

The approval step succeeded, as indicated by token 2’s listing turning red.


The interface shown above is a simple page using web3.js to read state from and interact with a deployed instance of my GameExchange contract.

The solution that Palm explores is a hybrid trust model where players can opt into and out of object modification from a centralized authority under the control of a game’s developers. Instead of a game interacting with a player’s on-chain objects in real time, the game can track state changes off-chain on a traditional server. Updates are only committed to the blockchain periodically.

This model is very similar to how large cryptocurrency exchanges operate: when users hold cryptocoins on an exchange, they typically don’t own them on-chain.
Instead, the off-chain cryptocoin accounting is centralized entirely on the exchange’s servers.


The proof-of-concept tool, which contained exploits for two Exchange Server vulnerabilities, was quickly removed from GitHub.

Exploit code for two Microsoft Exchange Server vulnerabilities under attack was published to GitHub earlier today. The Microsoft-owned platform quickly took down the proof-of-concept (PoC).

Related Content:

Microsoft Exchange Server Attack Escalation Prompts Patching Panic

Special Report: How IT Security Organizations Are Attacking the Cybersecurity Problem

New From The Edge: How to Protect Vulnerable Seniors From Cybercrime

The PoC combines CVE-2021-26855 and CVE-202127065, two of the four Exchange Server zero-days that attackers are using to break into Exchange Servers and deploy Web shells to steal data from target businesses. Since the flaws were patched on March 2, attacks have rapidly increased.


While this simple game trusts the client, in practice the game server would exist separately from the client as a remote authority. The game authority would modify the player’s gun object from a separate machine with separately signed transactions, preventing players from cheating.9The previous high score is retrievable from Ethereum and can be modified by the server when needed.

The example above shows a player entering the game again for another match. Their previous high score persisted on the blockchain between their play attempts.
In this gameplay clip, once the player surpasses their old high score, the gun object begins updating with the score value tracked on the remote centralized server.

This is huge, removing a security researcher’s code from GitHub against their own product and which has already been patched.”Advertisement

Wow, I am completely speechless here.

Microsoft really did remove the PoC code from Github.

This is huge, removing a security researchers code from GitHub against their own product and which has already been patched.

This is not good. https://t.co/yqO7sebCSU

— Dave Kennedy (@HackingDave) March 11, 2021

TrustedSec is one of countless security firms that has been overwhelmed by desperate calls from organizations hit by ProxyLogon.

ASP, is below:

Following web shell deployment, HAFNIUM operators performed the following post-exploitation activity:

  • Using Procdump to dump the LSASS process memory:
  • Using 7-Zip to compress stolen data into ZIP files for exfiltration:
  • Adding and using Exchange PowerShell snap-ins to export mailbox data:
  • Using the Nishang Invoke-PowerShellTcpOneLine reverse shell:
  • Downloading PowerCat from GitHub, then using it to open a connection to a remote server:

HAFNIUM operators were also able to download the Exchange offline address book from compromised systems, which contains information about an organization and its users.

Our blog, Defending Exchange servers under attack, offers advice for improving defenses against Exchange server compromise.

  • $($env:exchangeinstallpath)/Frontend/: used by more sophisticated attackers in order to blend in with legitimate Exchange files (webshells could be added as new files or by modifying existing ones, including web.config); most common locations are /owa/ and /ecp/, but webshells could be dropped anywhere within Frontend directory
  • Interpreting the results

    detect_webshells.ps1 only looks for webshells and does not attempt to detect past exploitation events directly (use https://github.com/microsoft/CSS-Exchange/tree/main/Security and other scripts mentioned below for this), nor is it looking for particularly stealthy threat actors (which could delete webshells after use or avoid dropping them altogether). As such, negative result can only mean absence of evidence of the compromise on this particular host.

    “Firstly, the PoC I gave can not run correctly. It will be crashed with many of errors. Just for trolling the reader,” Jang told BleepingComputer.

    The PoC, though, provided enough information that security researchers and threat actors could use it to develop a functional remote code execution exploit for Microsoft Exchange servers.

    Soon after the PoC was published, Jang received an email from Microsoft-owned GitHub stating that the PoC was being taken down as it violated Acceptable Use Policies.

    In a statement to BleepingComputer, GitHub said they took down the PoC to protect devices that are being actively exploited.

    “We understand that the publication and distribution of proof of concept exploit code has educational and research value to the security community, and our goal is to balance that benefit with keeping the broader ecosystem safe.

    It then configures the miner, injects it into a running process, then quits, according to the report. “The batch file then deletes the evidence and the miner remains running in memory, injected into a process already running on the system,” Brandt wrote.

    Researchers observed the cryptominer receiving funds on March 9, which is when Microsoft also released updates to Exchange to patch the flaws. Though the attacker lost several servers after this date and the output from the miner decreased, other servers that were gained thereafter more than made up for the early losses, according to the report.

    Exploit-Chain History

    The ProxyLogon problem started for Microsoft in early March when the company said it had spotted multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange Server.

    Leave a Reply

    Your email address will not be published.