When Microsoft discovered in 2013 that hackers had breached the secret internal database it uses to track vulnerabilities, it quietly upped its security, segmenting the database from its network and compelling two-factor authentication.
The database was populated with information on critical flaws, many of those unfixed, in the company's software that were of great value to hackers, five former Microsoft employees told Reuters.
“From the adversary perspective, having access to critical and unfixed vulnerabilities is the ‘holy grail,'” said Dmitri Alperovitch, co-founder and CTO at CrowdStrike.
The company probably patched the vulnerabilities within months of discovering the breach, the report said.
“We may be seeing the ripple effects of this hack for some time and many businesses may end up suffering stealthy compromises,” said Alperovitch. “The key question to answer is how long they may have had access and what entry points were established during that time.”
The company reportedly reviewed breaches at other companies to see if any of the information taken from its databas had been used in those incidents.
While Microsoft didn't speak to Reuters about the breach, it did say in a statement,“Our security teams actively monitor cyber threats to help us prioritise and take appropriate action to keep customers protected.”
The database compromise, though, “highlights that everyone is vulnerable to sophisticated intrusions,” said Alperovitch.
At the time, hackers were able to exploit a Java zero-day (CVE-2013-0422) exploit luring Facebook and Twitter employees onto a hacked software development website. Microsoft admitted a security intrusion at that time, but stressed that hackers had limited network access.
It said at the time that the intrusion only affected "a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organisations. We have no evidence of customer data being affected and our investigation is ongoing."
Former employees claimed that Microsoft fixed all the flaws recorded in the breached database within months, so the vulnerabilities would have had a limited impact on users. It also checked third-party companies to see if leaked data had been used in other breaches around the same time. The company was unable to linked their internal breach to others, which may have been the reason why Microsoft did not disclose full details at the time.
But some former employees told Reuters that it couldn't be ruled out that the stolen exploits weren't used in other attacks.
“They absolutely discovered that bugs had been taken,” a former employee told Reuters. “Whether or not those bugs were in use, I don't think they did a very thorough job of discovering.”
This was due in part to the reliance Microsoft had on automated reports from software crashes to see when hacks show up. Security experts told Reuters that more sophisticated attacks do not cause crashes and systems holding sensitive data are least likely to enable automated reporting.
Commenting on the news is Javvad Malik, security advocate at AlienVault, emailed SC Media UK to comment: "Bug Bounty programmes have gained popularity in recent years amongst vendors and researchers alike. The vulnerability information itself though can be quite sensitive and as we witnessed earlier in the year with the release of EternalBlue; an attacker with knowledge of vulnerabilities can craft highly effective payloads. Even if the vendor issues a patch, companies, unfortunately often are unable to deploy it quickly enough. It is therefore important for companies to identify all its assets appropriately, looking at it not just from the perspective of damage that can occur to themselves, but also to their customers if an attacker was able to obtain or corrupt the data."