Tag Archives: Risk evaluation

ComRAT V4 got an upgrade: On the value of Threat Intelligence

30 May 2020

Popular IT security media and threat intelligence services reported this week that the ComRAT V4 malware used by Turla APT got an upgrade. (1)(2)(3)

The big question for all businesses is: Do we have an increased risk resulting from this upgrade? Are the existing security controls still mitigating the risk stemmed from the ComRAT upgrade? Or do we have to upgrade our security controls as well.

The businesses in focus of the Turla APT should answer this question as soon as possible. Detailed information about the feature upgrade as well as the existing security controls are required to answer this question. This is nothing new. “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” says Tzu Sun in the “Art of War” about 500 BC.

Are you prepared to answer this question? Your invest in threat intelligence is uneconomic if you cannot evaluate the threat details in the context of your environment.

What about ComRAT? The way command and control is performed changed. But the primary installation method has not changed: “ComRAT is typically installed via PowerStallion, a lightweight PowerShell backdoor used by Turla to install other backdoors.”(1)

PowerShell 5.0 Icon (5)

PowerShell 5.0 Icon. Picture Credits (5)

So, if you already implemented security controls, that deal with malware which uses PowerShell, your risk will not change. Otherwise, the publication “Securing PowerShell in the Enterprise” (4) of the Australian Cyber Security Center is a good starting point for a systematic approach to PowerShell security.

My advice: Disable PowerShell on all standard user computers. For administrative purposes, use hardened systems without email and internet access and implement PowerShell Endpoints.

Have a great Weekend.

References

  1. Lakshmanan R. New ComRAT Malware Uses Gmail to Receive Commands and Exfiltrate Data [Internet]. The Hacker News. 2020 [zitiert 28. Mai 2020]. Verfügbar unter: https://thehackernews.com/2020/05/gmail-malware-hacker.html

  2. Robinson T. Turla’s ComRAT v4 uses Gmail web UI to receive commands, steal data [Internet]. SC Media. 2020 [zitiert 30. Mai 2020]. Verfügbar unter: https://www.scmagazine.com/home/security-news/malware/turlas-comrat-v4-uses-gmail-web-ui-to-receive-commands-steal-data/

  3. Gatlan S. Russian cyberspies use Gmail to control updated ComRAT malware [Internet]. BleepingComputer. 2020 [zitiert 30. Mai 2020]. Verfügbar unter: https://www.bleepingcomputer.com/news/security/russian-cyberspies-use-gmail-to-control-updated-comrat-malware/

  4. Australian Cyber Security Center. Securing PowerShell in the Enterprise | Cyber.gov.au [Internet]. Australian Signals Directorate. 2019 [zitiert 6. März 2020]. Verfügbar unter: https://www.cyber.gov.au/publications/securing-powershell-in-the-enterprise

Picture credits

  1. PowerShell 5.0 Icon. Microsoft / Public domain. https://commons.wikimedia.org/wiki/File:PowerShell_5.0_icon.png

Thunderspy – Don‘t panic!

19 May 2020

Björn Ruytenberg‘s (1) publication about 7 vulnerabilities in Intel’s Thunderbolt interface justifiably attracts a lot of media attention. Ruytenberg writes in the summary:

“Thunderspy targets devices with a Thunderbolt port. If your computer has such a port, an attacker who gets brief physical access to it can read and copy all your data, even if your drive is encrypted and your computer is locked or set to sleep.”

In Nazmus Sakib’s (2) post in the Microsoft Security Blog this sounds more dramatically:

“An attacker with physical access to a system can use Thunderspy to read and copy data even from systems that have encryption with password protection enabled.”

For the record: Full Disk Encryption (FDE) like BitLocker or LUKS only protects against theft if the computer is in shutdown or hibernation mode. In these cases, the system asks for the passphrase to encrypt the device. If the computer is booted or in sleep mode full disk encryption is useless.

This also holds for Thunderspy. The facts in brief. Thunderspy is a classic “evil maid DMA” attack. The attacker has to flash the Thunderbolt firmware with malicious code and wait for the victim to boot his computer. Once the computer is left unattended the attacker plugs in a specially crafted Thunderbolt device and copies data from the disk.

This is nothing new. The bad news is that all Thunderbolt-equipped computers built between 2011 and 2020 are affected. And that the vulnerabilities cannot be fixed; a hardware redesign is required.

So, everyone with a Thunderbolt-equipped computer should be concerned? No, absolutely not.

Risk for Consumers
The risk for consumers is unchanged because, in general, these devices are not secured, neither with a BIOS password nor with FDE, thus easy to compromise, e.g., with a Linux Live System, if left unattended.

Risk for Business people
The risk for business people is slightly increased. Business computers in general are secured with FDE, so the attacker must wait until the computer is left unattended to plug in the malicious device. Mitigation in this case requires a change in our habits: Put the computer in hibernation mode, instead in sleep mode, if you leave you workplace. The other important rule, “Don’t attach unknown devices to your computer” is already followed in the business domain.

Risk for Executives
The risk for business executives, military, government officials, etc. is unchanged. This group is always under attack, thus hopefully well protected.

Picture credit: Setreset (1)

Picture credit: Setreset (1)

Dan Goodin (3) sums it up:

“Readers who are left wondering how big a threat Thunderspy poses should remember that the high bar of this attack makes it highly unlikely it will ever be actively used in real-world settings, except, perhaps, for the highest-value targets coveted by secretive spy agencies. Whichever camp has a better case, nothing will change that reality.”

Don’t panic!

References

  1. Ruytenberg B. Thunderspy – When Lightning Strikes Thrice: Breaking Thunderbolt 3 Security [Internet]. Thunderspy. 2020 [zitiert 18. Mai 2020]. Verfügbar unter: https://thunderspy.io/
  2. Sakib N. Secured-core PCs help customers stay ahead of advanced data theft [Internet]. Microsoft Security Blog. 2020 [zitiert 18. Mai 2020]. Verfügbar unter: https://www.microsoft.com/security/blog/2020/05/13/secured-core-pcs-help-customers-stay-ahead-of-advanced-data-theft/
  3. Goodin D. Thunderspy: What it is, why it’s not scary, and what to do about it [Internet]. Ars Technica. 2020 [zitiert 13. Mai 2020]. Verfügbar unter: https://arstechnica.com/information-technology/2020/05/thunderspy-what-is-is-why-its-not-scary-and-what-to-do-about-it/

PIcture credit

  1. Setreset / CC BY-SA (https://creativecommons.org/licenses/by-sa/3.0), https://commons.wikimedia.org/wiki/File:Spy_silhouette.svg

Security falls often by the wayside if availability is a priority

16 May 2015

When we talk about information security we often forget printing. We add labels like ‘Confidential’ or ‘Top secret’ to documents to make it clear to everyone that these documents contain the company’s crown jewels. But when it comes to printing the printouts stay in the printer output bin, sometimes for days and accessible for everyone.

Fortunately most printer vendors developed secure print systems to support the users in the secure handling of information. In a secure print system documents are not output immediately when printed by the user. Instead, they are cached by the print service and output only after request by the user.

Before the user can request a printout he has to sign-in to the printer with his username and password. Since it is very annoying to sign in for every printout users can register their ID cards or special printing cards to speed up the output process. For fallback, e.g. if the user forgot his ID card, sign in with username and password is possible.

Secure Printing Threat Model

Secure Printing Threat Model. Click to enlarge.

If a user requests a printout, he places his ID card on the card reader attached to the printer. The built-in Authentication Manager (AM) sends an [1] Authentication Request to the Authentication and Authorization Manager (AAM). The AAM checks against the Active Directory whether the user is valid [2] and against the ID-Card Database [3] whether the ID-Card is valid and registered. Upon successful authentication the AM notifies [4] the Print Manager (PM). The PM on the printer retrieves a list of the user’s prints jobs from the Print Service and prints the selected jobs or all.

This works perfect. And since every document is cached by the print service and send only on request to the printer the users can request printouts on every printer attached to the secure printing system.

Unfortunately documents cannot be output when the network connection to i.e. the Authentication and Authorization Manager is not available. And this is a real disaster!

To boost availability the secure print system suppliers introduced the local credential cache [7]. After successful sign in to the printing system the user’s credentials and badge number [6] is cached in the printer. If the connection to the AAM service is down, the system authenticates the user against the locally cached credentials. Great!

But with the local credential cache the suppliers built-in a weakness into the system. If a terminated user could disturb the network connection to the AAM he could use the secure printing system with the credentials stored on the printer.

To securely terminate an employee you need to disable his ID card and his active directory account immediately. This will make sure that he can no longer access the secure printing system.

In addition you shall clear the user’s credentials from every printer he used for secure printing to make sure that he cannot access the secure print system in the case of a system failure.

At this time at the latest, risk evaluation makes sense. Under normal conditions it is very unlikely that an employee without administrative privileges could disturb the connection to the AAM. Thus the risk is low that an employee without administrative privileges can exploit this weakness.

But it is necessary to check the workflows for terminating employees. Since an employee can reach the secure print system by login with his username and password it is very important to disable the account immediately. This will prevent unauthorized access.

If you already introduced a secure printing system I would strongly recommend to restart the risk evaluation process for your printing system and to check the processes for terminating employees.

Don’t panic…

… and have a good weekend.