It’s a cat-and-mouse struggle as tech giants Microsoft and Apple deal with persistent threats from China state actors and Pegasus spyware.
Revelations this week from Microsoft and Apple speak to the COVID-like persistence of cyber threats and the ability of threat actors to adapt in the wild, steal credentials and sidestep patches.
Microsoft explained this week how it had discovered and attempted to harden ramparts in the face of state actors (using malware Microsoft dubbed Cigril), while Apple focused on patches designed to address zero day exposure to Pegasus mobile-device spyware.
SEE: DLL sideloading and CVE attacks show diversity in the threat landscape (TechRepublic)
The China-aligned actor Storm-0558 earlier this year accessed senior officials in the U.S. State and Commerce Departments thanks to credentials stolen from a Microsoft engineer’s corporate account two years ago, which the company described in a post earlier this week.
Microsoft explained how the consumer signing system crash in April of 2021, which resulted in a snapshot of the crashed process, or “crash dump,” gave the actors access to credentials.
Said Microsoft, “The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump. The key material’s presence in the crash dump was not detected by our systems.”
Microsoft said that the attackers forged authentication tokens to access user email using the “acquired” Microsoft account consumer signing key. “Microsoft has completed mitigation of this attack for all customers,” the company said.
The company said that it has enhanced prevention, detection and response for credential material; enhanced credential scanning to better detect the presence of signing keys in the debugging environment; released enhanced libraries to automate key scope validation in authentication libraries; and clarified related documentation.
Microsoft, which has tracked attackers for years, reported details in July 2023 on how Storm-0558 accessed email accounts of some 25 organizations, including government agencies and related consumer accounts of individuals likely associated with these organizations. The attackers used an acquired Microsoft account consumer key to forge tokens to access OWA and Outlook.com.
In an executive analysis by Microsoft Threat Intelligence, researchers wrote that starting May 15, 2023, Storm-0558 used forged authentication tokens to access user emails.
“[Microsoft] has successfully blocked this campaign from Storm-0558,” reported Microsoft Threat Intelligence. “As with any observed nation-state actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments.”
The authors went on to say they had identified the root cause, established durable tracking of the campaign, disrupted malicious activities, hardened the environment, notified every impacted customer and coordinated with multiple government entities.
Microsoft, which has been vocal about transparency in dealing with attacks, said it was working to tighten its security protocols. In the just-concluded review of Storm-0558, the company’s security team noted that its email, conferencing, web research and other collaboration tools can make users vulnerable to spear phishing, token-stealing malware and other attacks.
“For this reason — by policy and as part of our Zero-Trust and ‘assume breach’ mindset — key material should not leave our production environment,” Microsoft said.
Ted Miracco, CEO at Approov Mobile Security, said the two most disturbing features of the report are that Storm-0558 could forge tokens to access the email accounts of high-level officials and that the breach persisted for years without being discovered.
“This would lead one to question: How many other accounts are being compromised today with forged tokens, and how do you go about identifying additional compromised accounts?” Miracco said. “The findings reinforce that constant vigilance is required to stay ahead of sophisticated attackers, and keys and tokens need to be rotated frequently to prevent persistent access to compromised accounts.”
Pete Nicoletti, global CISO at Check Point Software, added that the incident underscores the imperative need for companies to implement both multiple layers of security and robust monitoring mechanisms.
“A review of who has access to cryptographic keys is also critical for every company,” Nicolleti said. “Furthermore, it is imperative for companies to employ security tools that remain concealed from MX lookups, complemented by an endpoint tool designed to thwart the subsequent stages of an attack.”
Nicolleti said businesses must proactively safeguard against unauthorized key access following a potential company email breach. “At CheckPoint, we strongly advocate the adoption of a specialized key management system that enforces additional authentication requirements, operates within an isolated, offline network and upholds vigilant access monitoring practices.”
A day after Microsoft’s explanation, Apple floated an emergency release of software patches to fix a pair of zero-day vulnerabilities that were reportedly used to attack a victim with the NSO Group’s Pegasus spyware. Pegasus is notorious, among other things, for having been deployed by the Saudi government to track — and murder — the journalist Jamal Khashoggi. The two new vulnerabilities are reportedly Apple’s thirteenth zero-day this year.
SEE: Israel-based threat actors show growing sophistication of email attacks (TechRepublic)
The kill chain could affect even the most up-to-date (iOS 16.6) iPhones, with the victim having to fall for social engineering. Apple, here, said that a CVE left certain Apple mobile devices, including iPhones, Apple Watches, Macs and iPads, open to attack. Apple said the attack chain aims for the Image I/O framework. The second vulnerability in the Wallet function leaves a device open to attacks from a “maliciously crafted attachment.”
The patches for iOS, iPadOS, watchOS, macOS and Ventura is the latest effort to put the shackles on Pegasus, originally meant as a government tool for Israeli surveillance.
Rick Holland, CISO at ReliaQuest, said the new patches are the latest in an ongoing skirmish.
“I’m confident this update is related to the zero-click vulnerabilities being exploited by the NSO group,” Holland said. “Apple has been playing a cat-and-mouse game with the NSO group for years. Researchers identify a vulnerability, Apple patches it, the NSO group develops new exploits and the cycle begins again.”
Karl is a lead writer on cloud security for TechRepublic, specializing in enterprise security risks, strategies, products, threats, trends and technologies for securing organizations. After graduating from Florida State University, he worked for the Tampa Tribune, and radio and TV stations in Tallahassee before moving to Boulder, Colorado. After receiving an MFA in dramatic writing from Brooklyn College he became a journalist and wrote for several years for publications covering the automotive, industrial chemical, internet tech and consumer marketing verticals. He has written for Adweek, Brandweek, The Chemical Market Reporter and MediaPost, and was also the public affairs officer at the NYU Tandon School of Engineering for six years prior to coming to TA.
