Request a Quote

Microsoft Confronts China-based Storm-0558, Apple Issues Patches for Pegasus Spyware

We Keep you Connected

Microsoft Confronts China-based Storm-0558, Apple Issues Patches for Pegasus Spyware

Microsoft Confronts China-based Storm-0558, Apple Issues Patches for Pegasus Spyware
Your email has been sent
It’s a cat-and-mouse struggle as tech giants Microsoft and Apple deal with persistent threats from China state actors and Pegasus spyware.
Revelations this week from Microsoft and Apple speak to the COVID-like persistence of cyber threats and the ability of threat actors to adapt in the wild, steal credentials and sidestep patches.
Microsoft explained this week how it had discovered and attempted to harden ramparts in the face of state actors (using malware Microsoft dubbed Cigril), while Apple focused on patches designed to address zero day exposure to Pegasus mobile-device spyware.
SEE: DLL sideloading and CVE attacks show diversity in the threat landscape (TechRepublic)
The China-aligned actor Storm-0558 earlier this year accessed senior officials in the U.S. State and Commerce Departments thanks to credentials stolen from a Microsoft engineer’s corporate account two years ago, which the company described in a post earlier this week.
Microsoft explained how the consumer signing system crash in April of 2021, which resulted in a snapshot of the crashed process, or “crash dump,” gave the actors access to credentials.
Said Microsoft, “The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump. The key material’s presence in the crash dump was not detected by our systems.”
Microsoft said that the attackers forged authentication tokens to access user email using the “acquired” Microsoft account consumer signing key. “Microsoft has completed mitigation of this attack for all customers,” the company said.
The company said that it has enhanced prevention, detection and response for credential material; enhanced credential scanning to better detect the presence of signing keys in the debugging environment; released enhanced libraries to automate key scope validation in authentication libraries; and clarified related documentation.
Microsoft, which has tracked attackers for years, reported details in July 2023 on how Storm-0558 accessed email accounts of some 25 organizations, including government agencies and related consumer accounts of individuals likely associated with these organizations. The attackers used an acquired Microsoft account consumer key to forge tokens to access OWA and Outlook.com.
In an executive analysis by Microsoft Threat Intelligence, researchers wrote that starting May 15, 2023, Storm-0558 used forged authentication tokens to access user emails.
“[Microsoft] has successfully blocked this campaign from Storm-0558,” reported Microsoft Threat Intelligence. “As with any observed nation-state actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments.”
The authors went on to say they had identified the root cause, established durable tracking of the campaign, disrupted malicious activities, hardened the environment, notified every impacted customer and coordinated with multiple government entities.
Microsoft, which has been vocal about transparency in dealing with attacks, said it was working to tighten its security protocols. In the just-concluded review of Storm-0558, the company’s security team noted that its email, conferencing, web research and other collaboration tools can make users vulnerable to spear phishing, token-stealing malware and other attacks.
“For this reason — by policy and as part of our Zero-Trust and ‘assume breach’ mindset — key material should not leave our production environment,” Microsoft said.
Ted Miracco, CEO at Approov Mobile Security, said the two most disturbing features of the report are that Storm-0558 could forge tokens to access the email accounts of high-level officials and that the breach persisted for years without being discovered.
“This would lead one to question: How many other accounts are being compromised today with forged tokens, and how do you go about identifying additional compromised accounts?” Miracco said. “The findings reinforce that constant vigilance is required to stay ahead of sophisticated attackers, and keys and tokens need to be rotated frequently to prevent persistent access to compromised accounts.”
Pete Nicoletti, global CISO at Check Point Software, added that the incident underscores the imperative need for companies to implement both multiple layers of security and robust monitoring mechanisms.
“A review of who has access to cryptographic keys is also critical for every company,” Nicolleti said. “Furthermore, it is imperative for companies to employ security tools that remain concealed from MX lookups, complemented by an endpoint tool designed to thwart the subsequent stages of an attack.”
Nicolleti said businesses must proactively safeguard against unauthorized key access following a potential company email breach. “At CheckPoint, we strongly advocate the adoption of a specialized key management system that enforces additional authentication requirements, operates within an isolated, offline network and upholds vigilant access monitoring practices.”
A day after Microsoft’s explanation, Apple floated an emergency release of software patches to fix a pair of zero-day vulnerabilities that were reportedly used to attack a victim with the NSO Group’s Pegasus spyware. Pegasus is notorious, among other things, for having been deployed by the Saudi government to track — and murder — the journalist Jamal Khashoggi. The two new vulnerabilities are reportedly Apple’s thirteenth zero-day this year.
SEE: Israel-based threat actors show growing sophistication of email attacks (TechRepublic)
The kill chain could affect even the most up-to-date (iOS 16.6) iPhones, with the victim having to fall for social engineering. Apple, here, said that a CVE left certain Apple mobile devices, including iPhones, Apple Watches, Macs and iPads, open to attack. Apple said the attack chain aims for the Image I/O framework. The second vulnerability in the Wallet function leaves a device open to attacks from a “maliciously crafted attachment.”
The patches for iOS, iPadOS, watchOS, macOS and Ventura is the latest effort to put the shackles on Pegasus, originally meant as a government tool for Israeli surveillance.
Rick Holland, CISO at ReliaQuest, said the new patches are the latest in an ongoing skirmish.
“I’m confident this update is related to the zero-click vulnerabilities being exploited by the NSO group,” Holland said. “Apple has been playing a cat-and-mouse game with the NSO group for years. Researchers identify a vulnerability, Apple patches it, the NSO group develops new exploits and the cycle begins again.”
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Microsoft Confronts China-based Storm-0558, Apple Issues Patches for Pegasus Spyware
Your email has been sent
Your message has been sent
TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.
Microsoft is also running a grant competition for ideas on using AI training in community building.
Generative AI will be a game changer in cloud security, especially in common pain points like preventing threats, reducing toil from repetitive tasks, and bridging the cybersecurity talent gap.
Does your business need a payroll provider that offers international payroll services? Use our buyer’s guide to review the best solutions, from ADP to Oyster.
Get up and running with ChatGPT with this comprehensive cheat sheet. Learn everything from how to sign up for free to enterprise use cases, and start using ChatGPT quickly and effectively.
Looking for an alternative to monday.com? Our comprehensive list covers the best monday alternatives, their key features, pricing, pros, cons and more.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
IT professionals, such as system and network administrators, help desk staff, management personnel and sometimes external vendor representatives, are routinely provided full access to company servers, network devices and data so that they can effectively perform their jobs. This policy from TechRepublic Premium provides guidelines for the company and its IT staff to ensure the …
Phone interviews can save time and speed up the hiring process. This cheat sheet from TechRepublic Premium will make it easy to ask both general and job-specific questions, allowing you to compare candidates systematically. Questions from the cheat sheet: Can you describe a work experience where you were part of a project or initiative and …
Amidst the growing landscape of data storage methods and functions, keeping up with the terminology used to describe the technology has become challenging as well. This quick glossary from TechRepublic Premium is intended to serve as a guide to defining common storage terms and noteworthy storage service providers. From the glossary: ASYNCHRONOUS REPLICATION Asynchronous replication …
Remote work has become a staple in the business world, especially in light of some companies permanently closing their office locations and transitioning their employees into a full remote work environment. The purpose of this policy from TechRepublic Premium is to establish appropriate guidelines for the remote workforce, including what sort of environments they should …

source

 

Enterprise Guardian (EnGuard) specializes in HIPAA Compliant Email for the Healthcare Industry.
HIPAA Compliant Email, Telehealth & Cloud Made Easy.

 

GET THE LATEST UPDATES, OFFERS, INFORMATION & MORE