This Week in Cyber 28th July 2023

Critical Privilege Escalation Vulnerability In MikroTik RouterOS Puts Hundreds of Thousands of Devices at Risk

A critical privilege escalation flaw, known as CVE-2023-30799, has been found in MikroTik RouterOS. Attackers could use it to execute arbitrary code and take full control of vulnerable devices. This affects around 500,000 and 900,000 RouterOS systems accessible via web and Winbox interfaces. The vulnerability allows an easy escalation from admin to 'super-admin' due to weak authentication practices, and a proof-of-concept (PoC) has demonstrated that attackers can derive a new exploit chain from the original vulnerability, potentially gaining a root shell on the router. Given MikroTik's history as an APT target, it is crucial for users to promptly apply the latest patches (6.49.8 or 7.x) and implement additional security measures to safeguard their systems from exploitation.

SEC's New Cyber Attack Disclosure Rules: Balancing Transparency and Timeliness

The U.S. Securities and Exchange Commission (SEC) has recently approved groundbreaking rules that mandate publicly traded companies to disclose cybersecurity incidents within four days of identifying their material impact on finances. The move marks a significant shift in the way companies handle and reveal data breaches. SEC Chair Gary Gensler emphasized the need for consistent and comparable disclosure, stating that the current methods could benefit from improvement. Companies are now required to provide details about the nature, scope, timing, and impact of the cyber attack, with an optional 60-day delay if national security or public safety is at risk. Annual reporting on cybersecurity risk assessment and management strategies is also mandated. However, determining what constitutes "material" impact remains a challenge for many organizations. The policy aims to enhance transparency, protect shareholders, and strengthen cybersecurity defenses, but some experts raise concerns over the tight reporting timeframe, as it may lead to inaccurate disclosures and potential security risks.

APT Group Deploys Advanced DeliveryCheck Backdoor to Target Defense Sector

Turla's sophisticated DeliveryCheck (also known as CAPIBAR or GAMEDAY) has emerged as a new .NET-based backdoor, demonstrating its threat to the defense sector in Eastern Europe. The Microsoft threat intelligence team, along with CERT teams, recently uncovered these cyber espionage operations. The attacks were attributed to a well-known APT group with a history of cyber intrusions. The backdoor, distributed via email attachments with malicious macros, stealthily persists through scheduled tasks and contacts command-and-control servers for task retrieval, allowing the execution of arbitrary payloads. An additional known Turla implant, named Kazuar, is sometimes deployed to gather sensitive information from targeted systems. This sophisticated campaign aims to exfiltrate data from the Signal messaging app for Windows, including private conversations, documents, and images. Notably, DeliveryCheck leverages PowerShell Desired State Configuration (DSC) to install a server-side component on Microsoft Exchange servers, enabling the APT group to convert legitimate servers into malware command centers.

FraudGPT: AI Tool for Cybercriminals Enables Spear-Phishing and Malware Generation

Cybercriminals have introduced FraudGPT, an AI tool advertised on dark web marketplaces and Telegram channels, specifically created for offensive activities such as crafting spear-phishing emails, generating cracking tools and engaging in carding operations. Since its circulation from at least July 22, 2023, the tool offers subscription plans at $200 per month, $1,000 for six months, or $1,700 for a year. Its capabilities extend to writing malicious code, developing undetectable malware, and identifying leaks and vulnerabilities, which poses significant threats to organizations' security and data integrity. The emergence of tools like FraudGPT signifies a trend where threat actors are increasingly utilizing AI technology, similar to OpenAI's ChatGPT, to create new forms of cybercriminal activity without restrictions. These AI tools can facilitate phishing-as-a-service (PhaaS) operations and enable novice actors to conduct convincing phishing and business email compromise (BEC) attacks on a large scale.

Uncovering Critical Vulnerability: Arbitrary Code Execution in Huawei Theme Manager

During the Huawei mobile bug bounty in 2019, researchers made a significant breakthrough, uncovering a critical vulnerability within EMUI devices' Themes Manager. Focusing on the implementation of lock screens, they identified a flaw in com.huawei.ucdlockscreen that allowed the loading of unvalidated classes at runtime, bypassing signature checks and enabling unauthorized code injection. By leveraging the theme.xml file in .hwt theme archive files, they injected their own code into the dynamic engine (com.huawei.ucdlockscreen) at runtime, gaining arbitrary code execution within the context of the highly privileged com.huawei.android.thememanager application. This unauthorized access granted them extensive control over sensitive user data and system resources, posing a severe security risk.

The impact of this exploit was extensive, with attackers acquiring around 200 Android and Huawei custom permissions, potentially compromising user data, sensitive system information, credentials, and the overall system integrity. The vulnerability also opened the possibility of escalating access to the system level, making it a significant component for a dangerous rooting chain. Although Huawei released an update for HwThemeManager in February 2022 to address the issue, researchers found that the fix was implemented in ucdlockscreen.apk (com.huawei.ucdlockscreen version 3 and later), leaving devices with older, vulnerable versions of ucdlockscreen.apk at risk, even with an updated HwThemeManager.