Search This Blog

Showing posts with label Hafnium. Show all posts

This New Malware Uses Windows Bugs to Conceal Scheduled Tasks

 

Microsoft has found a new malware employed by the Chinese-backed Hafnium hacking group to create and hide scheduled activities on compromised Windows PCs in order to sustain persistence. 

Cyberespionage attacks by the Hafnium threat group have previously targeted US defence businesses, think tanks, and researchers. It's also one of the state-sponsored groups Microsoft has tied to the global exploitation of the ProxyLogon zero-day vulnerability, which affected all supported Microsoft Exchange versions last year. 

The Microsoft Detection and Response Team (DART) stated, "As Microsoft continues to track the high-priority state-sponsored threat actor HAFNIUM, new activity has been uncovered that leverages unpatched zero-day vulnerabilities as initial vectors. Further investigation reveals forensic artifacts of the usage of Impacket tooling for lateral movement and execution and the discovery of a defence evasion malware called Tarrask that creates 'hidden' scheduled tasks, and subsequent actions to remove the task attributes, to conceal the scheduled tasks from traditional means of identification." 

Tarrask, a hacking tool, hides them from "schtasks /query" and Task Scheduler by removing the related Security Descriptor registry value, which is a previously undiscovered Windows flaw. 

By re-establishing dropped connections to command-and-control (C2) infrastructure, the threat group was able to keep access to the infected devices even after reboots. While the Hafnium operators could have deleted all on-disk artefacts, including all registry keys and the XML file uploaded to the system folder, this would have destroyed persistence between restarts. 

The "hidden" tasks can only be discovered by performing a manual search of the Windows Registry for scheduled tasks that do not have an SD (security descriptor) Value in their Task Key. 

Admins can additionally check for important events associated to tasks "hidden" by Tarrask malware by enabling the Security.evtx and Microsoft-Windows-TaskScheduler/Operational.evtx logs. Microsoft also suggests setting logging for 'TaskOperational' in the Microsoft-Windows-TaskScheduler/Operational Task Scheduler log and keeping an eye on outbound connections from crucial Tier 0 and Tier 1 assets. 

DART added, "The threat actors in this campaign used hidden scheduled tasks to maintain access to critical assets exposed to the internet by regularly re-establishing outbound communications with C&C infrastructure. We recognize that scheduled tasks are an effective tool for adversaries to automate certain tasks while achieving persistence, which brings us to raising awareness about this oft-overlooked technique."

Active Email Threat from Microsoft Hack, Warns White House

 

The administration of Biden is highly alarming about a series of recently found cyber intrusions that were associated with China as stated by Microsoft this week. The White House has cautioned that the use of newly disclosed vulnerabilities in Microsoft applications that has affected "a significant number of victims" in the US.

"This is an active threat," White House press secretary Jen Psaki said on Friday. "Everyone running these servers - government, private sector, academia - needs to act now to patch them." 

Microsoft said hackers were attacking their targets using its mail server. Tens of thousands of American organizations have indeed been confirmed to be affected. For a long time, the US has suspected the Chinese administration of cyber-espionage. 

On Saturday, the U.S. National Security Council stated, "essential that any organization with a vulnerable server take immediate measures". Later on Friday, the Cybersecurity and Infrastructure Security Agency underlined the danger in an unusually straightforward tweet saying that maltreatment could "enable an attacker to gain control of an entire enterprise network." 

White House officials encouraged private sector companies running Microsoft Exchange Server software to install several crucial upgrades, which were reported as an emergency patch. This week Microsoft announced that it was aware of many vulnerabilities that Chinese hijackers have exploited in its server program. The hacker party, which Microsoft calls Hafnium, has gone after, "infectious disease researchers," law firms, higher education institutions, defense contractors, policy think-tanks, and NGOs, Microsoft stated previously. According to Microsoft, the party concerned had not recently been identified by the public. 

In the US, over 20,000 organizations, with many more impacted globally, have been hacked, Reuters said. In recent days, an unusually active Chinese cyber spying unit has infiltrated at least 30,000 organizations in the USA — including a large number of small companies, towns, cities, and local governments — aiming at robbing e-mail from victim organizations. 

Microsoft did not confirm the figures but said that it was working closely with the US government agencies in a further statement on Friday. They advised clients that "the best protection" was "to apply updates as soon as possible across all impacted systems." However, it said that it had implemented such mitigation strategies to support those who are not able to rapidly update but cautioned that they are not "a remediation if your Exchange servers have already been compromised, nor are they full protection against attack."