Revelations this week from Microsoft and Apple speak to the COVID-like persistence of cyber threats and the ability of threat actors to adapt in the wild, steal credentials and sidestep patches.
Microsoft explained this week how it had discovered and attempted to harden ramparts in the face of state actors (using malware Microsoft dubbed Cigril), while Apple focused on patches designed to address zero day exposure to Pegasus mobile-device spyware.
The China-aligned actor Storm-0558 earlier this year accessed senior officials in the U.S. State and Commerce Departments thanks to credentials stolen from a Microsoft engineer’s corporate account two years ago, which the company described in a post earlier this week.
Microsoft explained how the consumer signing system crash in April of 2021, which resulted in a snapshot of the crashed process, or “crash dump,” gave the actors access to credentials.
Said Microsoft, “The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump. The key material’s presence in the crash dump was not detected by our systems.”
Microsoft said that the attackers forged authentication tokens to access user email using the “acquired” Microsoft account consumer signing key. “Microsoft has completed mitigation of this attack for all customers,” the company said.
The company said that it has enhanced prevention, detection and response for credential material; enhanced credential scanning to better detect the presence of signing keys in the debugging environment; released enhanced libraries to automate key scope validation in authentication libraries; and clarified related documentation.
Microsoft on how Storm-0558 forged tokens
Microsoft, which has tracked attackers for years, reported details in July 2023 on how Storm-0558 accessed email accounts of some 25 organizations, including government agencies and related consumer accounts of individuals likely associated with these organizations. The attackers used an acquired Microsoft account consumer key to forge tokens to access OWA and Outlook.com.
In an executive analysis by Microsoft Threat Intelligence, researchers wrote that starting May 15, 2023, Storm-0558 used forged authentication tokens to access user emails.
“[Microsoft] has successfully blocked this campaign from Storm-0558,” reported Microsoft Threat Intelligence. “As with any observed nation-state actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments.”
The authors went on to say they had identified the root cause, established durable tracking of the campaign, disrupted malicious activities, hardened the environment, notified every impacted customer and coordinated with multiple government entities.
Zero-trust mindset versus vulnerabilities
Microsoft, which has been vocal about transparency in dealing with attacks, said it was working to tighten its security protocols. In the just-concluded review of Storm-0558, the company’s security team noted that its email, conferencing, web research and other collaboration tools can make users vulnerable to spear phishing, token-stealing malware and other attacks.
“For this reason — by policy and as part of our Zero-Trust and ‘assume breach’ mindset — key material should not leave our production environment,” Microsoft said.
Ted Miracco, CEO at Approov Mobile Security, said the two most disturbing features of the report are that Storm-0558 could forge tokens to access the email accounts of high-level officials and that the breach persisted for years without being discovered.
“This would lead one to question: How many other accounts are being compromised today with forged tokens, and how do you go about identifying additional compromised accounts?” Miracco said. “The findings reinforce that constant vigilance is required to stay ahead of sophisticated attackers, and keys and tokens need to be rotated frequently to prevent persistent access to compromised accounts.”
Multiple layers of security are critical to address multiple threats
Pete Nicoletti, global CISO at Check Point Software, added that the incident underscores the imperative need for companies to implement both multiple layers of security and robust monitoring mechanisms.
“A review of who has access to cryptographic keys is also critical for every company,” Nicolleti said. “Furthermore, it is imperative for companies to employ security tools that remain concealed from MX lookups, complemented by an endpoint tool designed to thwart the subsequent stages of an attack.”
Nicolleti said businesses must proactively safeguard against unauthorized key access following a potential company email breach. “At CheckPoint, we strongly advocate the adoption of a specialized key management system that enforces additional authentication requirements, operates within an isolated, offline network and upholds vigilant access monitoring practices.”
Apple issued patches versus Pegasus, an ongoing tête-à-tête with NSO Group
A day after Microsoft’s explanation, Apple floated an emergency release of software patches to fix a pair of zero-day vulnerabilities that were reportedly used to attack a victim with the NSO Group’s Pegasus spyware. Pegasus is notorious, among other things, for having been deployed by the Saudi government to track — and murder — the journalist Jamal Khashoggi. The two new vulnerabilities are reportedly Apple’s thirteenth zero-day this year.
The kill chain could affect even the most up-to-date (iOS 16.6) iPhones, with the victim having to fall for social engineering. Apple, here, said that a CVE left certain Apple mobile devices, including iPhones, Apple Watches, Macs and iPads, open to attack. Apple said the attack chain aims for the Image I/O framework. The second vulnerability in the Wallet function leaves a device open to attacks from a “maliciously crafted attachment.”
The patches for iOS, iPadOS, watchOS, macOS and Ventura is the latest effort to put the shackles on Pegasus, originally meant as a government tool for Israeli surveillance.
Rick Holland, CISO at ReliaQuest, said the new patches are the latest in an ongoing skirmish.
“I’m confident this update is related to the zero-click vulnerabilities being exploited by the NSO group,” Holland said. “Apple has been playing a cat-and-mouse game with the NSO group for years. Researchers identify a vulnerability, Apple patches it, the NSO group develops new exploits and the cycle begins again.”