Microsoft, Apple versus China, spyware actors


Protect Your Access to the Internet

Faceless hackers in red shadows using laptops, along with abstract digital symbols.
Image: 2ragon/Adobe Stock

Revelations this week from Microsoft and Apple speak to the COVID-like persistence of cyber threats and the ability of threat actors to adapt in the wild, steal credentials and sidestep patches.

Microsoft explained this week how it had discovered and attempted to harden ramparts in the face of state actors (using malware Microsoft dubbed Cigril), while Apple focused on patches designed to address zero day exposure to Pegasus mobile-device spyware.

SEE: DLL sideloading and CVE attacks show diversity in the threat landscape (TechRepublic)

Microsoft seals doors against Storm-0558

The China-aligned actor Storm-0558 earlier this year accessed senior officials in the U.S. State and Commerce Departments thanks to credentials stolen from a Microsoft engineer’s corporate account two years ago, which the company described in a post earlier this week.

Microsoft explained how the consumer signing system crash in April of 2021, which resulted in a snapshot of the crashed process, or “crash dump,” gave the actors access to credentials.

Said Microsoft, “The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump. The key material’s presence in the crash dump was not detected by our systems.”

Microsoft said that the attackers forged authentication tokens to access user email using the “acquired” Microsoft account consumer signing key. “Microsoft has completed mitigation of this attack for all customers,” the company said.

The company said that it has enhanced prevention, detection and response for credential material; enhanced credential scanning to better detect the presence of signing keys in the debugging environment; released enhanced libraries to automate key scope validation in authentication libraries; and clarified related documentation.

Microsoft on how Storm-0558 forged tokens

Microsoft, which has tracked attackers for years, reported details in July 2023 on how Storm-0558 accessed email accounts of some 25 organizations, including government agencies and related consumer accounts of individuals likely…