Microsoft Kept Quiet About 2013 Bug Database Hack: Report
A cyber-attack by a notorious hacking group back in 2013 compromised highly sensitive information on unfixed Microsoft vulnerabilities, data which could have been used to devastating effect, it has emerged.
Microsoft is said to have discovered the breach in early 2013 after a sophisticated hacking group dubbed Wild Neutron also attacked Apple, Facebook, Twitter and others.
It’s unclear whether said group is state-sponsored, although its high skill levels and solid operational security – which have enabled it to keep a relatively low profile over the years – could indicate some state involvement.
Microsoft’s statement at the time downplayed the seriousness of the attack:
“We found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations. We have no evidence of customer data being affected, and our investigation is ongoing.”
However, according to five former security employees Reuters spoke to, there was widespread concern inside the tech giant at the time that the stolen info would be used in follow-on attacks.
Although they were, Redmond concluded that the attackers could have obtained the same info elsewhere, and so stayed silent about the nature of the breach, the report claimed.
Even Pentagon and Homeland Security bosses were apparently not told the details of the attack.
The breach calls to mind the hacking and theft of the NSA’s trove of hacking tools which ultimately led to the WannaCry and NotPetya attacks earlier this year, with Microsoft president Brad Smith criticizing the spy agency at the time.
Even worse for the tech giant, the database containing details of as-yet-unpatched bugs was allegedly poorly protected by “little more than a password.”
Mozilla suffered something similar in 2015 when attackers managed to find a database featuring details on 10 critical and unpatched flaws, but it went public with the details to better protect customers and update industry stakeholders.
Source: Information Security Magazine