Notorious hacker group Hafnium deployed malicious code to target Windows, Microsoft stood still
But this time, the Redmond company seems to be well prepared when claiming to have information about the hacker group's activities. Microsoft security experts say Hafnium is using a strain of malware called 'Tarrask' to target and repeatedly weaken the defenses of the Windows operating system in general.
Specifically, according to Microsoft's preliminary investigation, the Hafnium team is using Tarrask, a "defence-evasion malware", to bypass Windows' security defenses and ensure compromised environments. Import is still vulnerable. Explaining the issue, the Microsoft Detection and Response Team (DART) said in a blog post:
During high-priority HAFNIUM threat agent monitoring, we discovered that some unpatched Windows zero-day vulnerabilities were abused by hackers as initial attack vectors. Further investigation revealed indications of using the Impacket engine to deploy malicious activity horizontally, and discovered defense-evading malware called Tarrask. It creates 'hidden' scheduled tasks, with actions to clear task attributes, to hide its activity.
Microsoft is actively monitoring Hafnium activities and is aware that this group is abusing a new exploit targeting the Windows subsystem. Malicious actors appear to be exploiting a previously unknown Windows bug to hide malware from "schtasks/query" and Task Scheduler.
The malware evades detection by Windows security tools by deleting the associated Security Descriptor registry value. In simple terms, an unpatched Windows Task Scheduler bug is helping malware wipe its tracks and effectively hide itself from the operating system's active defenses.
Technical terms aside, it's conceivable that Hafnium appears to be using "hidden" scheduled tasks to keep access to compromised devices even after multiple reboots. As with any malware, even Tarrask re-establishes connections with Command-and-Control (C2) infrastructure.
The Microsoft DART team not only issues a warning, but also recommends that users enable logging for 'TaskOperational' in the Microsoft-Windows-TaskScheduler/Operational Task Scheduler log. This will make it easier for system administrators to find suspicious connections from important Tier 0 and Tier 1 assets.
You should read it
- Apple announced a new, more diverse level of security bug detection bonus
- More than 1,300 phishing kits are being sold on the hacker forum
- There has been hack Among Us and this is how you find out hacker
- With just one link, hacking Facebook accounts has never been so easy
- Here's how I hack 40 websites in 7 minutes
- The latest iOS 11 has been hacked !!!
- The corner of getting rich: A company hung a $ 1 million prize for anyone who hacked WhatsApp and iMessage
- Hackers demand $ 50K from the hacker forum, otherwise they will give no Fed
May be interested
- New banking malware discovered that can remotely control Android devicesinternational security researchers have just released an announcement about a new banking malware called octo.
- Malware spreads through crack software specializing in stealing Facebook, Instagram, and Twitter accountssecurity researchers have discovered an information-stealing malware called ffdroider. by stealing credentials and cookies stored in the browser, ffdroider can take control of the victim's social media accounts.
- VMware patches RCE Spring4Shell vulnerability on a wide range of productsvmware has released a number of security updates to patch remote code execution for a dangerous vulnerability called spring4shell in the company's virtual machine and cloud products.
- GitLab patches critical vulnerability that allows hackers to take control of accountsgitlab has just resolved a critical vulnerability that could allow hackers to take over users' accounts with hard-coded passwords. it is worth mentioning here that the hacker can perform the attack remotely.
- New phishing toolkit discovered that makes it easy to create fake Chrome browser windowsinternational security researchers have recently discovered a dangerous set of phishing tools. this tool is designed to allow scammers and cybercriminals to create simple and effective online phishing login forms using just a fake chrome browser window.
- Specter V2 vulnerability re-appears to attack Intel, Arm CPUs, AMD chips are not affectedsecurity research team vusec and intel have just released a notice of a dangerous remote execution vulnerability of the specter class, known as branch history injection or bhi.