Please see Security Advisories for the week ending May 15, 2020
- New Variant of Dark Crystal RAT Discovered
- Microsoft Releases May 2020 Security Updates
- Increase in North Korean Malicious Cyber Activity
- Adobe Releases Security Updates for Adobe DNG Software Development Kit, Acrobat, and Reader
- Vulnerabilities Discovered in VMware vRealize Operations Manager (vROps)
FireEye has discovered a new variant of Dark Crystal RAT (DCRat) Malware.
This new variant of DCRat has been written in C# and added new capabilities from the previous version. These new capabilities include; installing executables, droppers, and can be controlled by a command and control(C2) server by GET requests.
DCRat is typically installed via phishing; which can allow the attacker to install additional malware, cover up the initial compromise, and could result in loss of control of affected systems.
Ensure that anti-virus is up to date, and exercise caution with attachments and links in emails. Search for existing signs of the indicated IoCs in your environment and consider blocking and or setting up detection for all URL and IP based IoCs. IoCs are located in the technical overview link provided.
For a brief overview:
For additional information:
Microsoft has released security updates for the following software:
- Microsoft Windows
- Microsoft Edge (EdgeHTML-based)
- Microsoft Edge (Chromium-based)
- Internet Explorer
- Microsoft Office and Microsoft Office Services and Web Apps
- Windows Defender
- Visual Studio
- Microsoft Dynamics
- .NET Framework
- .NET Core
- Power BI
Many vulnerabilities were found in widely used Microsoft applications.
There are many CVEs that include remote code execution that were found in popular software such as Excel.
All updates are included with the Windows 10 monthly patch. Please check the update status on Windows 10 settings and apply the latest patch.
The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Department of Defense (DoD) have identified and published three new malware variants; COPPERHEDGE, TAINTEDSCRIBE, and PEBBLEDASH used by the North Korean government.
COPPERHEDGE is identified as a Remote Access Tool (RAT) malware variant used by the North Korean government.
TAINTEDSCRIBE a malware implant (trojan) that's installed on hacked systems to receive and execute the attacker's commands. These samples use FakeTLS for session authentication and for network encryption utilizing a Linear Feedback Shift Register (LFSR) algorithm. The main executable disguises itself as Microsoft's Narrator.
PEBBLEDASH - another malware implant (trojan) that has the capability to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration.
COPPERHEDGE has the capability to help the threat actors perform system reconnaissance, run arbitrary commands on compromised systems, and exfiltrate stolen data.
TAINTEDSCRIBE and PEBBLEDASH malware are able to download its command execution module from a command and control (C2) server and then has the capability to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration.
CISA has provides mitigation measures in the form of Snort Rules, as well as recommendations for system owners and administrators to help protect against these types of attacks.
These recommendations can be found at:
COPPERHEDGE - https://www.us-cert.gov/ncas/analysis-reports/ar20-133a
TAINTEDSCRIBE – https://www.us-cert.gov/ncas/analysis-reports/ar20-133b
Adobe has discovered and patched vulnerabilities for several of its products including, Adobe DNG Software Development Kit, Acrobat, and Reader.
Adobe has identified vulnerabilities where an attacker can exploit the vulnerability and take control of an affected system.
Failure to patch systems could result in loss of control of affected systems. Possible compromise of systems and network integrity.
Adobe advises patching to the latest version of Adobe DNG Software Development Kit, Acrobat, and Reader as soon as possible.
For a brief overview:
For additional information:
VMWare has announced two vulnerabilities (CVE-2020-11651 and CVE-2020-11652) in their vRealize product related to their integration of the popular open source server management software SaltStack. These vulnerabilities affect VMware vRealize Operations Manager (vROps) versions 7.5, 8.0.x, and 8.1.
The Application Remote Collector (ARC) introduced with vRealize Operations Manager 7.5 utilizes SaltStack which is affected by CVE-2020-11651 and CVE-2020-11652. The vulnerability CVE-2020-11651 can allow for authentication bypass where functionality is unintentionally exposed to unauthenticated network clients. Vulnerability CVE-2020-11652 can allow for directory traversal where untrusted input (i.e. parameters in network requests) was not sanitized correctly allowing unconstrained access to the entire filesystem of the master server. Both of these vulnerabilities are exploitable by a remote unauthenticated attacker. Combining these two vulnerabilities could result in full remote command execution as root on both the master and all minions that connect to it and could be used to configure new resources on cloud instances. These vulnerabilities have been seen being exploited in the wild.
The vulnerability CVE-2020-11651 (Authentication Bypass) may allow a malicious actor with network access to port 4505 or 4506 on the ARC to take control of the ARC and any Virtual Machines the ARC may have deployed a Telegraf agent. Vulnerability CVE-2020-11652 (Directory Traversal) may allow a malicious actor with network access to port 4505 or 4506 on the ARC to access the entirety of the ARC filesystem.
VMware has updates pending for each of the affected versions of vROps.
In the meantime, VMware has issued some workarounds to help mitigate these vulnerabilities, these workarounds can be found at:
It is strongly recommended to apply these workarounds, and the patch, when available. These vulnerabilities are currently seen being exploited in the wild.