Vengeful researcher Nightmare-Eclipse gets Microsoft’s attention: “Never justifiable and has real-world consequences”
Microsoft Security Response Center (MSRC) released a defensive blog post calling out the vindictive anonymous security researcher, known as Nightmare-Eclipse, for bypassing coordinated disclosure. Behind the corporate language, the message is clear: Microsoft wants researchers to stay in their lanes. It immediately struck a nerve among cyber pros.
Over the past two months, Nightmare-Eclipse has been fighting a personal vendetta against MSRC, releasing Windows zero-days publicly – 6 in total. These vulnerabilities enabled attackers to elevate system privileges to the system and even bypass BitLocker encryption.
The hacker’s motivation – claims that Microsoft “violated their agreement,” “stabbed them in the back,” “ruined their life,” and left them “homeless with nothing.”
The zero-days got Microsoft’s attention. The tech giant has acknowledged all 6 disclosed vulnerabilities, calling them an “unnecessary risk” that forced its security teams to work around the clock, to understand, protect customers and develop patches.
“The details of these vulnerabilities were not shared with Microsoft prior to release, and the disclosures put our customers at unnecessary risk,” MSRC’s blog post reads.
The post reads like a warning shot – disclosures outside proper channels face consequences.
Microsoft expresses firm opposition to Nightmare-Eclipse’s actions, and calls any disclosure outside proper coordination “unjustifiable.”
The tech giant is threatening legal action but doesn’t name the targets, using broad language to cover both actual attackers and researchers who “enable them” with the proof of concepts (POC).
“Our security teams … work tirelessly tracking threat actors who look for weaknesses just like these to attack Microsoft and our customers,” the blog post reads.
“Our Digital Crimes Unit will continue bringing cases against these actors and those who enable their criminal activity.”
The blogpost ends with some sort of peace offering – welcoming vulnerability submissions from anyone, “regardless of past interactions or reputation.”
“We invite diverse perspectives,” MSRC said.
“We realize that we will not always agree on everything, but we are committed to transparency and continue to create opportunities for dialogue.”
It’s unclear what legal risks Nightmare-Eclipse faces. While using exploits to gain unauthorized access and break systems is a crime, simply publishing code is a legal grey area. Courts previously in other contexts treated code as a form of speech protected by the First Amendment. A more immediate risk might be a breach of policies.
The largest code-sharing platforms, GitHub and GitLab, have already blocked the disgruntled researcher’s accounts and wiped their code.
Still, GitHub’s policy “allows dual-use content and supports the posting of content that is used for research into vulnerabilities, malware, or exploits,” as it has educational value and “provides net benefit to the security community.”
Only in rare cases does GitHub restrict access to disrupt ongoing attacks.
Cyber pros aren't impressed
The cybersecurity community’s reaction to the MSRC’s post was sceptical – researchers line up sharing their own frustrating experiences with the disclosure process.
Rémi Gascou (Podalirius), a Senior Security Researcher at SpecterOp, shared that Microsoft didn’t reward nor acknowledge their disclosed command injection vulnerability, however, it was fixed a month later.
“I’ve heard nothing but horror stories about those submitting to MSRC, so it's no surprise that this would be the fallout. Personally, I find this post hilarious,” posted Jason Lang, a Team Lead of Targeted Operations at TrustedSec.
Nightmare-Eclipse has gone quiet since, with no new vulnerabilities or blog posts published following the bans and Microsoft’s statement.
Unlock more exclusive Cybernews content on YouTube.
