Author Archives: Klaus Jochem

ComRAT V4 got an upgrade: On the value of Threat Intelligence

30 May 2020

Popular IT security media and threat intelligence services reported this week that the ComRAT V4 malware used by Turla APT got an upgrade. (1)(2)(3)

The big question for all businesses is: Do we have an increased risk resulting from this upgrade? Are the existing security controls still mitigating the risk stemmed from the ComRAT upgrade? Or do we have to upgrade our security controls as well.

The businesses in focus of the Turla APT should answer this question as soon as possible. Detailed information about the feature upgrade as well as the existing security controls are required to answer this question. This is nothing new. “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” says Tzu Sun in the “Art of War” about 500 BC.

Are you prepared to answer this question? Your invest in threat intelligence is uneconomic if you cannot evaluate the threat details in the context of your environment.

What about ComRAT? The way command and control is performed changed. But the primary installation method has not changed: “ComRAT is typically installed via PowerStallion, a lightweight PowerShell backdoor used by Turla to install other backdoors.”(1)

PowerShell 5.0 Icon (5)

PowerShell 5.0 Icon. Picture Credits (5)

So, if you already implemented security controls, that deal with malware which uses PowerShell, your risk will not change. Otherwise, the publication “Securing PowerShell in the Enterprise” (4) of the Australian Cyber Security Center is a good starting point for a systematic approach to PowerShell security.

My advice: Disable PowerShell on all standard user computers. For administrative purposes, use hardened systems without email and internet access and implement PowerShell Endpoints.

Have a great Weekend.


  1. Lakshmanan R. New ComRAT Malware Uses Gmail to Receive Commands and Exfiltrate Data [Internet]. The Hacker News. 2020 [zitiert 28. Mai 2020]. Verfügbar unter:

  2. Robinson T. Turla’s ComRAT v4 uses Gmail web UI to receive commands, steal data [Internet]. SC Media. 2020 [zitiert 30. Mai 2020]. Verfügbar unter:

  3. Gatlan S. Russian cyberspies use Gmail to control updated ComRAT malware [Internet]. BleepingComputer. 2020 [zitiert 30. Mai 2020]. Verfügbar unter:

  4. Australian Cyber Security Center. Securing PowerShell in the Enterprise | [Internet]. Australian Signals Directorate. 2019 [zitiert 6. März 2020]. Verfügbar unter:

Picture credits

  1. PowerShell 5.0 Icon. Microsoft / Public domain.

Windows malware Sarwent got an upgrade. Thou shalt not work with permanent administrative privileges!

23 May 2020

Catalin Cimpanu (1) reports in his post „Windows malware opens RDP ports on PCs for future remote access“ published on ZDNET that the Windows malware Sarwent got an upgrade: It is now capable of using the windows command line and PowerShell, adding users, and opening ports in the Windows firewall for RDP access from remote. Since the latter features require administrative privileges on the victims machine, it is very likely that the victims worked with permanent administrative privileges.

To mitigate the risk, the best approach is to revoke any administrative privileges from standard users. This will not reduce the likelihood of occurrence, but it will reduce the severity of impact of an infection with Sarwent. Furthermore, since the attacker is forced to download tools to fully compromise the victims computer, the likelihood of detectability is increased.

Revoking administrative privileges from standard users is a low-cost, high-impact means to enhance resiliency against cyber-attacks, thus should be part of each security strategy.

But it is hard to implement. Managers will face lots of discussions if users must give up beloved habits. It is very important to keep the number of exceptions as small as possible because every exception lowers the overall security level of the company.

Have a great weekend.

  1. Cimpanu C. Windows malware opens RDP ports on PCs for future remote access [Internet]. ZDNet. 2020 [zitiert 22. Mai 2020]. Verfügbar unter:

Thunderspy – Don‘t panic!

19 May 2020

Björn Ruytenberg‘s (1) publication about 7 vulnerabilities in Intel’s Thunderbolt interface justifiably attracts a lot of media attention. Ruytenberg writes in the summary:

“Thunderspy targets devices with a Thunderbolt port. If your computer has such a port, an attacker who gets brief physical access to it can read and copy all your data, even if your drive is encrypted and your computer is locked or set to sleep.”

In Nazmus Sakib’s (2) post in the Microsoft Security Blog this sounds more dramatically:

“An attacker with physical access to a system can use Thunderspy to read and copy data even from systems that have encryption with password protection enabled.”

For the record: Full Disk Encryption (FDE) like BitLocker or LUKS only protects against theft if the computer is in shutdown or hibernation mode. In these cases, the system asks for the passphrase to encrypt the device. If the computer is booted or in sleep mode full disk encryption is useless.

This also holds for Thunderspy. The facts in brief. Thunderspy is a classic “evil maid DMA” attack. The attacker has to flash the Thunderbolt firmware with malicious code and wait for the victim to boot his computer. Once the computer is left unattended the attacker plugs in a specially crafted Thunderbolt device and copies data from the disk.

This is nothing new. The bad news is that all Thunderbolt-equipped computers built between 2011 and 2020 are affected. And that the vulnerabilities cannot be fixed; a hardware redesign is required.

So, everyone with a Thunderbolt-equipped computer should be concerned? No, absolutely not.

Risk for Consumers
The risk for consumers is unchanged because, in general, these devices are not secured, neither with a BIOS password nor with FDE, thus easy to compromise, e.g., with a Linux Live System, if left unattended.

Risk for Business people
The risk for business people is slightly increased. Business computers in general are secured with FDE, so the attacker must wait until the computer is left unattended to plug in the malicious device. Mitigation in this case requires a change in our habits: Put the computer in hibernation mode, instead in sleep mode, if you leave you workplace. The other important rule, “Don’t attach unknown devices to your computer” is already followed in the business domain.

Risk for Executives
The risk for business executives, military, government officials, etc. is unchanged. This group is always under attack, thus hopefully well protected.

Picture credit: Setreset (1)

Picture credit: Setreset (1)

Dan Goodin (3) sums it up:

“Readers who are left wondering how big a threat Thunderspy poses should remember that the high bar of this attack makes it highly unlikely it will ever be actively used in real-world settings, except, perhaps, for the highest-value targets coveted by secretive spy agencies. Whichever camp has a better case, nothing will change that reality.”

Don’t panic!


  1. Ruytenberg B. Thunderspy – When Lightning Strikes Thrice: Breaking Thunderbolt 3 Security [Internet]. Thunderspy. 2020 [zitiert 18. Mai 2020]. Verfügbar unter:
  2. Sakib N. Secured-core PCs help customers stay ahead of advanced data theft [Internet]. Microsoft Security Blog. 2020 [zitiert 18. Mai 2020]. Verfügbar unter:
  3. Goodin D. Thunderspy: What it is, why it’s not scary, and what to do about it [Internet]. Ars Technica. 2020 [zitiert 13. Mai 2020]. Verfügbar unter:

PIcture credit

  1. Setreset / CC BY-SA (,

Have you patched these top 10 routinely exploited vulnerabilities?

16 May 2020

On Tuesday, CISA published the alert (AA20-133A) on the „Top 10 Routinely Exploited Vulnerabilities“(1). A day later, Zeljka Zorz raised the absolutely legitimate question „Have you patched these top 10 routinely exploited vulnerabilities?“(2) on HELPNETSECURITY.

A query against the NIST NVD and the Exploit-DB shows a gloomy picture:

Top 10 Exploited Vulnerabilities

Top 10 Exploited Vulnerabilities

For the red highlighted vulnerabilities the exploit was available at the day of publication in the NVD. For the green highlighted vulnerabilities the exploit was published shortly after the vulnerability. So, the question should be:

How fast did you patch these top 10 routinely exploited vulnerabilities?

These are telling examples and they are not isolated:

Exploit Publication Date relative to CVE Publication Date

Exploit Publication Date relative to CVE Publication Date

The data from 2013 – 2019 for critical vulnerabilities show:

  • 41% of exploits were published before or at the same day the CVE was published, and
  • 43% of Exploits were published in the range between 10 days before and 10 days after the CVE.

Time is crucial in cyber space operations. In high risk domains, critical vulnerabilities should be patched at least 24 hours after the patch is available. If a vendor cannot provide a patch in time mitigting measures should be applied, in the worst case, systems must be removed from the internet.

Remind the Equifax case (CVE-2017-5638) from 2017.

Have a good weekend.


  1. CISA. Top 10 Routinely Exploited Vulnerabilities [Internet]. National Cyber Awareness System. 2020 [zitiert 16. Mai 2020]. Verfügbar unter:

  2. Zorz Z. Have you patched these top 10 routinely exploited vulnerabilities? [Internet]. Help Net Security. 2020 [zitiert 14. Mai 2020]. Verfügbar unter:

ZDF: Behörde schlägt Alarm – Sicherheitslücken in Mail-App von Apple. Grund zur Panik?

26. April 2020

Sicherheitslücken in Apps müssen schon gravierend sein, wenn ZDF(1) und DLF(2) darüber berichten. In der Regel basieren solche Berichte auf Warnungen des BSI und sind entsprechend ernst zu nehmen. Das ist auch hier der Fall. In einer Pressemitteilung(3) vom 23.4.2020 warnte das BSI vor Einsatz von iOS-App “Mail”.

Das BSI stützt seine Warnung auf eine Untersuchung des Cyber Security Startups ZecOps, die am 20.4.2020 unter dem Titel „You’ve Got (0-click) Mail!“ im ZecOps Blog(4) veröffentlichte wurde.

Das BSI schätzt die Schwachstellen „besonders kritisch“ ein und empfiehlt das „Löschen der App “Mail” oder Abschaltung der Synchronisation“(3), solange kein Patch verfügbar ist.

In der NIST NVD Schwachstellendatenbank sind noch keine Details zu den beiden von ZecOps veröffentlichten Schwachstellen verfügbar. Der ZecOps Report ist somit die einzige Quelle für die Bewertung der BSI Warnung.

Um welchen Typ von Schwachstellen handelt es sich?

ZecOps hat eine “Out-Of-Bounds Write” und eine “Remote Heap Overflow” Schwachstelle in der iOS Mail App entdeckt. Diese „Buffer Overflow“ Schwachstellen bilden die Grundlage für die sogenannten Remote Code Execution Schwachstellen, die in der Regel als „kritisch“ eingestuft werden, da sie das Einschleusen von fremden Code in ein Programm erleichtern. Damit führt das Programm nicht mehr die beabsichtigten Anweisungen durch, sondern diejenigen, die der Cyberangreifer vorgibt. Soweit ist die Einschätzung des BSI korrekt.

Wer ist im Fokus der Angreifer?

ZecOps macht zu Beginn des Reports eine sehr interessante Aussage:

“Based on ZecOps Research and Threat Intelligence, we surmise with high confidence that these vulnerabilities – in particular, the remote heap overflow – are widely exploited in the wild in targeted attacks by an advanced threat operator(s).”

ZecOps vermutet mit hoher Sicherheit, das die Schwachstellen in großem Umfang in gezielten Angriffen ausgenutzt werden, und zwar von staatlichen Cyber-Akteuren oder von staatlich finanzierten Cyber-Akteuren. Seltsamerweise ist der Hinweis auf die „advanced threat operators“ (APTs) nicht fett markiert; damit ist das re-blog und re-tweet gesichert.

Im Fokus von APTs sind Mitglieder in den Vorständen von Großkonzernen und Betreiber kritischer Infrastrukturen, hochrangige Mitglieder von staatlichen Organisationen, kritische Journalisten, etc. Der normale iPhone oder iPad Anwender eher nicht, wenn überhaupt, dann als Kollateralschaden.

Was sind die Auswirkungen eines erfolgreichen Angriffs?

ZecOps schreibt im Abschnitt Fragen und Antworten dazu:

“Q: What does the vulnerability allow?

A: The vulnerability allows to run remote code in the context of MobileMail (iOS 12) or maild (iOS 13). Successful exploitation of this vulnerability would allow the attacker to leak, modify, and delete emails.”

Nach einem erfolgreichen Angriff kann der Angreifer also E-Mails lesen, löschen, kopieren und verändern; E-Mails schreiben im Namen des Nutzers ist nicht beschrieben. Damit sind die Vertraulichkeit und die Integrität der Information zumindest teilweise nicht mehr gegeben.

Ist der Angriffs einfach ausführbar?

Im Abschnitt Q&A macht ZecOps dazu eine sehr bemerkenswerte Aussage:

Q: Does the vulnerability require additional information to succeed?

A: Yes, an attacker would need to leak an address from the memory in order to bypass ASLR. We did not focus on this vulnerability in our research.“

Damit der Schadcode vom Angreifer an die richtige Stelle im Adressraum eingeschleust werden kann, muss eine zusätzliche Schwachstelle vorhanden sein. ASLR (Adress Space Layout Randomization) ist eine in allen modernen Prozessoren eingebaute Technologie, die Angreifern das Einschleusen von Schadcode in den Speicher von Programmen erschweren soll. Wird der Schadcode an die falsche Stelle im Speicher eingefügt, führt dies zum Absturz des mit ASLR geschützen Programms. Mehr dazu von Paul Ducklin im Sophos Blog.(6)

In der Regel haben nur APTs die finanziellen Mittel solche Angriffe so zu vorzubereiten und auszuführen, dass die frühzeitige Entdeckung des Angreifers und der Schwachstelle verhindert wird.

Kann das Gerät vollständig übernommen werden?

Im Abschnitt Q&A macht ZecOps dazu folgenden Aussage:

„Q: Why are you disclosing these bugs before a full patch is available?

Answer: It’s important to understand the following:

These bugs alone cannot cause harm to iOS users – since the attackers would require an additional infoleak bug & a kernel bug afterwards for full control over the targeted device.

Für die vollständige Übernahme des Gerätes ist also eine weitere Schwachstelle im Betriebssystemkern erforderlich. Das kann nur eine bislang nicht veröffentlichte Schwachstelle sein (Zero-Day), da die Bekannten gepatcht sind.

Eine Cyberwaffe, die auf einer nicht veröffentlichten Schwachstelle basiert kann ein einziges Mal eingesetzt werden. Danach ist die Schwachstelle bekannt und wird binnen kurzer Zeit gepatcht; die Waffe wird wirkungslos. Hier stellt sich die Frage, welcher APT eine wertvolle Cyberwaffe für das Ausspähen normaler iPad- oder iPhone-Nutzer opfert? Mehr dazu findet man in der Analyse(5) von Thomas Reed im Malwarebyte Labs Blog.

Fazit: Kein Grund zur Panik!

Aus meiner Sicht stehen die Warnung des BSI und die Aufmerksamkeit in den Medien in keinem Verhältnis zur Gefährlichkeit der Schwachstelle. Oder mit Shakespeare: Viel Lärm um Nichts.

Personengruppen im Fokus von staatlichen oder staatlich finanzierten Cyber-Akteuren sollten die E-Mail Synchronisation deaktivieren, bis die Schwachstelle gepatcht ist. Gegebenenfalls können die Mail-Gateway Betreiber für diese Benutzergruppen Anhänge entfernen oder übergroße E-Mails blockieren, falls das Deaktivieren der Synchronisation aus organisatorischen Gründen nicht möglich ist.

Für alle anderen Nutzer gilt: Patches installieren, sobald sie verfügbar sind. Wer glaubt, im Fokus staatlicher oder staatlich finanzierter Cyber-Akteure zu stehen, sollte die Mailsynchronisation deaktivieren, bis ein Patch verfügbar ist.


  1. zdf heute. Behörde schlägt Alarm: Sicherheitslücken in Mail-App [Internet]. zdf heute. 2020 [zitiert 24. April 2020]. Verfügbar unter:

  2. Römermann S. BSI warnt vor iOS – Schwachstellen bei Apple Mail-Programm [Internet]. Deutschlandfunk. 2020 [zitiert 25. April 2020]. Verfügbar unter:

  3. Bundesamt für Sicherheit in der Informationstechnik. BSI – Presseinformationen des BSI – BSI warnt vor Einsatz von iOS-App „Mail“ [Internet]. BSI Presse. 2020 [zitiert 25. April 2020]. Verfügbar unter:

  4. zecOps. You’ve Got (0-click) Mail! [Internet]. ZecOps Blog. 2020 [zitiert 24. April 2020]. Verfügbar unter:

  5. Reed T. iOS Mail bug allows remote zero-click attacks [Internet]. Malwarebytes Labs. 2020 [zitiert 24. April 2020]. Verfügbar unter:

  6. Ducklin P. iPhone zero day – don’t panic! Here’s what you need to know – Naked Security [Internet]. naked security by Sophos. 2020 [zitiert 24. April 2020]. Verfügbar unter:

Two unpatched remote code execution flaws in Adobe Type Manager Library affect all Windows Versions. Keep the mitigations forever!

29 March 2020

Mohit Kumar‘s post (1) that was published past Monday on The Hacker News should instill fright to all users who haven’t migrated to Windows 10 yet.

The good news is that this vulnerability requires user interaction. Microsoft states in security advisory ADV200006 (2) that “There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.” As always, user training is as crucial!

In addition, the impact on Windows 10 users is limited because the malicious code runs in an AppContainer which is destroyed once the preview is closed.

The bad news is that Microsoft recognized attacks where this vulnerability is leveraged (the vulnerability is in the Wild). And, a patch is not available yet.

In the meantime, Microsoft provides important mitigations in ADV200006. These mitigations must be kept on all pre-Windows 10 systems where no Extended Security Update (ESU) support is available.

The most interesting mitigation is to “Disable the Preview Pane and Details Pane in Windows Explorer”. I always disable preview features in Explorer and Outlook. Simply put, preview requires that documents are “executed”, so preview may also execute embedded malicious code.

My advice for all critical infrastructure operators is:

  • Deactivate all preview features in the Windows OS and in all applications.
  • Deactivate any kind of macros and scripting without notification.
  • Deactivate all trusted locations in all applications.
  • And, of course, the user should not be able to reverse this settings.

With this, the security baseline is raised at moderate effort.

Have a great week.

1. Kumar M. Warning — Two Unpatched Critical 0-Day RCE Flaws Affect All Windows Versions [Internet]. The Hacker News. 2020 [cited 2020 Mar 29]. Available from:

2. MSRC. ADV200006 | Type 1 Font Parsing Remote Code Execution Vulnerability [Internet]. Microsoft Security Response Center. 2020 [cited 2020 Mar 29]. Available from:

CVE-2020-0796 – New Critical SMB V3 Vulnerability. Time to Panic?

22 March 2020

On March 12, 2020 Microsoft published a CVSS V3.1 severity 10 vulnerability in the SMBv3 protocol. CVE-2020-0796 (1), also called CoronaBlue, impacts the Windows 10 client and server versions 1903 and 1909.

The bad news first. CoronaBlue is like Eternalblue/WannaCry a wormable remote code execution vulnerability. A single Windows 10 system with SMBv3 protocol installed and port 445 open to the internet is enough for infiltration of a network.

The good news is that only few systems with Windows 10 version 1903 or 1909 have port 445 exposed to the internet. Theses Windows versions are just too new.

Nevertheless, immediate patching is required because a proof of concept exploit code was published on March 14, 2020.

In addition, Microsoft recommends deactivating SMBv3 compression unless the patches are installed and activated (2).

But the most important advice Microsoft gives is:

Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks.

This advice holds for all SMB versions. There is no need to access Windows systems through the SMB protocol from the internet. Therefore, this protocol should be blocked by the internet facing firewall of DMZs. No exceptions! Apparently, some thousand CISOs do not care:

Windows systems with SMB ports open to the internet.

Windows systems with SMB ports open to the internet.

Have a great week. And check your firewall rules!


  1. NIST NVD. NVD – CVE-2020-0796 [Internet]. NIST Information Technology Laboratory. 2020 [cited 2020 Mar 22]. Available from:
  2. MSRC. CVE-2020-0796 | Windows SMBv3 Client/Server Remote Code Execution Vulnerability [Internet]. Microsoft Security. [cited 2020 Mar 22]. Available from: