The HighPoint Security Hub

Navigating the ever-evolving landscape of cyber threats is a constant challenge. “The Security Hub” is here to make it easier, offering a succinct overview of the most pressing developments from the past two weeks.

In this edition, we shed light on WiKI-Eve’s password attack, Outlook’s major security breach and the cybercriminals collaborating on malware upgrades.

Global Developments

Okta’s IT Help Desk Breach: Recent reports have revealed a breach in Okta, a widely-used identity and access management service. Hackers targeted IT help desks to gain Super Admin privileges and disable Multi-Factor Authentication (MFA) for multiple organisations. Attacks were observed between July 29 and August 19, with the attacker tampering with authentication flows to impersonate their targeted users. This breach underscores the critical importance of robust access controls and the urgent need for organizations to adopt a Zero Trust security approach. Read the full story here.

WiKI-Eve Attack: A new attack dubbed ‘WiKI-Eve’ poses a significant threat to wireless network security. This attack has the ability to identify numeric keystrokes over Wi-Fi at an accuracy rate or 90%, potentially compromising sensitive data. The security gap was discovered by a team of researchers in China and Singapore, who found that the attack can also decipher 6-digit numerical passwords with an accuracy rate of 85%. On average, 16 out of 20 passwords use only numerical digits, making this real-time attack a significant threat to millions of users.  Read the full story here.

Apple’s Swift Response: Apple rushed to patch zero-day flaws that were exploited by the Pegasus Spyware on iPhones. Emergency updates were launched for iOS, iPadOS, macOS and watchOS to address two key issues:

• CVE-2023-41061– A validation issue in Wallet that could result in arbitrary code execution when handling a maliciously crafted attachment.
• CVE-2023-41064– A buffer overflow issue in the Image I/O component that could result in arbitrary code execution when processing a maliciously crafted image.

The two flaws were weaponized as part of a zero-click iMessage exploitation chain named BLASTPASS, aimed at deploying Pegasus Spyware on iPhones running iOS 16.6. Read the full story here.

Commonly Used Tools and Gadgets

Notepad++ Security Fixes: Notepad++ released version 8.5.7 with fixes for four security vulnerabilities. The popular free source code editor updated their program to prevent exploitation of  four key security flaws that could provide entry points for cyberattacks:

• CVE-2023-40031: Buffer overflow in the Utf8_16_Read::convert function due to incorrect assumptions about UTF16 to UTF8 encoding conversions.
• CVE-2023-40036: Global buffer read overflow in CharDistributionAnalysis::HandleOneChar caused by an array index order based on the buffer size, exacerbated by using the uchardet library.
• CVE-2023-40164: Global buffer read overflow in nsCodingStateMachine::NextState. This is linked to a specific version of the uchardet library used by Notepad++, vulnerable due to its dependency on the size of the charLenTable buffer.
• CVE-2023-40166: Heap buffer read overflow occurs in FileManager::detectLanguageFromTextBegining due to failing to check buffer lengths during file language detection.

Despite the exploits being identified on August 21 2023, the Notepad++ development team did not provide a fix till September 3 after their user community placed pressure on them to acknowledge and address the problem. Read more here.

Outlook Hack: Microsoft recently revealed how a crash dump led to a major security breach affecting Outlook. A China-based threat known as Storm-0558 compromised a Microsoft engineers corporate account, enabling them to access a debugging environment containing information related to a crash of the consumer signing system and steal the signing key. Microsoft noted that the hacker had likely been undertaking activity against Microsoft data since August 2021 and could have enabled widespread access to other cloud services. Read the full story here.

Chrome Zero-Day Patch: Google released emergency security updates in response to another zero-day attack, the fourth since the start of the year.

While full attack details are not yet available, Google recommend Chrome users should update their browsers to include the latest security patches to tackle attacks before additional technical specifics are released. Google warns the release of further information could allow more hackers to create their own security exploitations and deploy them against Chrome users. Read the full story here.

Securing Microsoft IIS Servers: Protecting Microsoft IIS servers against malware attacks is vital for web security. A slew of activity by North Korean threat group Lazarus has been focusing on distributing malware and malicious code through vulnerable Microsoft IIS servers. The group has previously been responsible for many notorious cyberattacks, including thefts of over $100 million of virtual currency.

Learn about the measures to safeguard your infrastructure. Read more here.

Malware and Ransomware

SapphireStealer Evolution: Cybercriminals are collaborating to upgrade the notorious SapphireStealer malware, creating variants in order to democratize the cybercrcime landscape. SapphireStealer variants have created a reinforced feedback loop amongst hackers, ensuring the malware keeps increasing in strength and worsening the potential consequences. Read the full report here.

MacOS Malvertising Alert: A new malvertising campaign is spreading the Atomic Stealer MacOS malware. Malvertising via Google Ads is considered the main distribution method for showing scam ads to users searching for popular software that lead them to rogue installers. The new version of Atomic Stealer is bundled with an ad-hoc signed app that prompts users to enter their password into a fake prompt, allowing attackers to exfiltrate files, login details stored in iCloud Keychain and browser data. Read the full report here.

Exploring RemcosRat Malware: McAfee Labs has peeled back the layers of the RemcosRat malware, providing insight into its complex operation. RemcosRat delivers malicious VBS files contained in ZIP attachments to phishing emails, providing attackers with backdoor access to sensitive and confidential information. This malware is frequently updated and requires constant updates from McAfee to combat the multi-layered attacks. Discover the full breakdown here.

BLISTER Malware Update: A new update to the BLISTER malware is fueling stealthy network infiltrations. It is being used as part of infection chains to distribute an open-source command-and-control framework called Mythic, that embeds itself within a legitimate VLC Media Player library in order to get around security software and infiltrate victim environments. Staying informed about emerging malware trends is essential to keeping your cybersecurity robust. Read more here.