Security Experts:

Unpatched Flaws Possibly Stolen From Microsoft in 2013 Hack: Report

Hackers may have stolen information on unpatched vulnerabilities after breaching Microsoft’s systems and gaining access to a bug tracker back in 2013, Reuters reported on Monday.

At the time of the breach, Microsoft informed customers that it had been targeted in an attack similar to the ones aimed at Facebook and Apple.

“During our investigation, we found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations. We have no evidence of customer data being affected and our investigation is ongoing,” Microsoft said at the time.

Reuters learned from five former Microsoft employees that the attackers also breached a database that stored information on unpatched flaws affecting Windows and other products. The database had been protected only with a password.

While Microsoft fixed all the vulnerabilities within months of the intrusion and found no evidence of the flaws being exploited in other attacks, it’s still possible that the malicious actor created exploits that it used in other campaigns.

The former employees said Microsoft analyzed breaches suffered by other organizations at the time, but found no clear evidence that the stolen vulnerability information had been abused.

However, three of the former employees claim the study had too little data and noted that Microsoft relied on automated reports generated by software crashes to find exploits. However, experts argued that sophisticated attacks may have not generated crashes that would tip off Microsoft. In fact, the company did observe attacks exploiting the vulnerabilities, but concluded that they could have been obtained elsewhere.

“In February 2013, we commented on the discovery of malware, similar to that found by other companies at the time, on a small number of computers including some in our Mac business unit. Our investigation found no evidence of information being stolen and used in subsequent attacks,” a Microsoft spokesperson told SecurityWeek.

The hacker group that targeted Microsoft, Apple, Twitter and Facebook back in 2013 is known as Butterfly, Morpho and Wild Neuton. The threat actor, described as a financially motivated espionage group, is believed to have been active since at least 2011.

The hackers leveraged watering holes, Java zero-day exploits, and Windows and Mac backdoors to target the tech giants. The attackers went silent for nearly a year after these campaigns and reemerged in late 2013, when they started targeting organizations in the legal, real estate, investment, IT and healthcare sectors around the world. They also launched attacks on individual users and Bitcoin companies.

Microsoft is not the only company whose bug-tracking database has been breached. Back in 2015, Mozilla informed users that an attacker breached its Bugzilla bug tracker using stolen credentials and accessed information on 185 non-public vulnerabilities affecting Firefox and other products.

*Updated with statement from Microsoft

Related: Hackers Steal Law Enforcement Inquiry Documents from Microsoft

Related: Duqu 2.0 Attack Hits Kaspersky Lab, Venues Tied to Iran Nuclear Talks

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.