Microsoft suffered a security incident where a hacking group gained access to an internal database the tech giant uses to track vulnerabilities.
We already know that Microsoft detected the breach back in early 2013. The Redmond-based conglomerate subsequently came out with a statement on 22 February 2013 that painted the incident as limited in scope and severity:
“As reported by Facebook and Apple, Microsoft can confirm that we also recently experienced a similar security intrusion. We found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations. We have no evidence of customer data being affected, and our investigation is ongoing.”
But that statement apparently didn’t sum up the full extent of the incident.
On 17 October 2017, five former employees revealed that at the time of the breach Microsoft raised a number of internal alarms signaling that hackers had compromised the database it uses to track patches.
The attack has been blamed on Wild Neutron, a sophisticating hacking group which has targeted Apple, Facebook, and a number of other multi-billion dollar companies.
Even so, the former Microsoft workers said the database was poorly protected by just a single password.
Concerned that the hacking group had stolen details on some of its open vulnerabilities for Windows and other software, Microsoft decided to look at other industry breaches and investigate the timing of those event with respect to when the flaws entered its database.
It’s conclusion? That attackers had exploited Microsoft flaws in those breaches. But the company eventually concluded that the bad actors could have gotten that information elsewhere, which spurred Microsoft’s decision not to disclose the hack against its database.
One of the former employees isn’t convinced Microsoft did its due diligence. As quoted by Reuters:
“They absolutely discovered that bugs had been taken. Whether or not those bugs were in use, I don’t think they did a very thorough job of discovering.”
Something like this has happened only once before. Back in 2015, Mozilla discovered that an attacker had compromised a privileged user’s account, stolen information on flaws affecting Firefox and other Mozilla-made products, and possibly used the flaws to attack users. Rather than remain silent about the issue, however, it went public with what happened and informed users how to protect themselves.
In the wake of large-scale vulnerability-driven malware attacks like WannaCry, it’s important that other companies follow Mozilla’s lead and be upfront if and when a security incident affects one of their vulnerability databases.
To its credit, Microsoft did tighten up the security of its systems by segregating the database on another network and instituting two-factor authentication (2FA) for access to the asset. Even so, the tech giant has yet to officially confirm that it suffered the breach against its database back in 2013. Let’s hope it comes forward soon.