Cyberespionage group stolen Microsoft vulnerabilities DB back in 2013

Another day, another news about a clamorous data breach, this time the Reuters agency revealed that Microsoft suffered a major security breach back in 2013.

According to five former employees, hackers broke into the company vulnerabilities and bug reports database, but the news was never disclosed.

The former employees explained that Microsoft addressed all the vulnerabilities listed in the compromised database within months so that the vulnerabilities would have limited exploitation against Microsoft systems in the wild.

“Microsoft Corp’s secret internal database for tracking bugs in its own software was broken into by a highly sophisticated hacking group more than four years ago, according to five former employees, in only the second known breach of such a corporate database.” reported the Reuters.

You can imagine the importance of the archive for intelligence agencies and hackers, the database contained details of unfixed vulnerabilities in some of the most popular software and operating systems in the world.Spies for governments around the globe and other hackers covet such information because it shows them how to create tools for electronic break-ins.

The knowledge of such zero-day vulnerabilities would have been exploited in targeted attacks in the wild.

The employees attributed the attack to a “highly sophisticated hacking group,” likely they were referring a nation-state actor.

After the incident, Microsoft investigated every breach suffered by third-party companies in the following period to check if any of the vulnerabilities contained within the breached database were exploited in the attacks. The company declared that did not find any evidence of cyber attacks in the wild exploiting the information included in the hacked vulnerability database.

“Sometime after learning of the attack, Microsoft went back and looked at breaches of other organizations around then, the five ex-employees said. It found no evidence that the stolen information had been used in those breaches.” continued the Reuters.

The Reuters claims the threat actor behind the data breach is an APT group known Wild Neutron. (i.e. Morpho, Jripbot, Butterfly, ZeroWing, or Sphinx Moth). Wild Neutron is a financially motivated espionage group that targeted large enterprises, including Microsoft, Apple, Twitter, and Facebook.

According to the analysis published by Kaspersky Lab in 2015, the Morpho APT group is specialized in corporate espionage and has been active since at least 2011.

The researchers speculate that the group is responsible for the attacks in 2013 on the IT giants Apple, Facebook, Microsoft, and Twitter.

The above attacks were discovered in February 2013, a few weeks after, Microsoft admitted an attack, but it specified the attackers had limited access to its network.

“As reported by Facebook and Apple, Microsoft can confirm that we also recently experienced a similar security intrusion,” the company said on Feb. 22, 2013.

“We found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations. We have no evidence of customer data being affected, and our investigation is ongoing.”

Three of the five former employees declared that the vulnerability have been used in attacks in the wild.

“They absolutely discovered that bugs had been taken,” said one. “Whether or not those bugs were in use, I don’t think they did a very thorough job of discovering.”

The Morpho team exploited a Flash Player and Java zero-day in its attacks and digitally signed its malicious code by using stolen Acer Incorporated digital certificates.

The hackers exploited a Java zero-day, tracked as CVE-2013-0422, in the attacks against Twitter and Facebook. Hackers tricked Twitter and Facebook employees into visiting hacked forums hosting the Java zero-day exploit.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Microsoft, data breach)  

[adrotate banner=”5″]

[adrotate banner=”13″]