Notorious hacker group Hafnium deployed malicious code to target Windows, Microsoft stood still
Hafnium, the notorious hacker group that shocked the world with a campaign to destroy Microsoft Exchange servers more than a year ago, is making a comeback that makes Microsoft once again stand still.
But this time, the Redmond company seems to be well prepared when claiming to have information about the hacker group's activities. Microsoft security experts say Hafnium is using a strain of malware called 'Tarrask' to target and repeatedly weaken the defenses of the Windows operating system in general.
Specifically, according to Microsoft's preliminary investigation, the Hafnium team is using Tarrask, a "defence-evasion malware", to bypass Windows' security defenses and ensure compromised environments. Import is still vulnerable. Explaining the issue, the Microsoft Detection and Response Team (DART) said in a blog post:
During high-priority HAFNIUM threat agent monitoring, we discovered that some unpatched Windows zero-day vulnerabilities were abused by hackers as initial attack vectors. Further investigation revealed indications of using the Impacket engine to deploy malicious activity horizontally, and discovered defense-evading malware called Tarrask. It creates 'hidden' scheduled tasks, with actions to clear task attributes, to hide its activity.
Microsoft is actively monitoring Hafnium activities and is aware that this group is abusing a new exploit targeting the Windows subsystem. Malicious actors appear to be exploiting a previously unknown Windows bug to hide malware from "schtasks/query" and Task Scheduler.
The malware evades detection by Windows security tools by deleting the associated Security Descriptor registry value. In simple terms, an unpatched Windows Task Scheduler bug is helping malware wipe its tracks and effectively hide itself from the operating system's active defenses.
Technical terms aside, it's conceivable that Hafnium appears to be using "hidden" scheduled tasks to keep access to compromised devices even after multiple reboots. As with any malware, even Tarrask re-establishes connections with Command-and-Control (C2) infrastructure.
The Microsoft DART team not only issues a warning, but also recommends that users enable logging for 'TaskOperational' in the Microsoft-Windows-TaskScheduler/Operational Task Scheduler log. This will make it easier for system administrators to find suspicious connections from important Tier 0 and Tier 1 assets.
You should read it
- Watch out for new dangerous viruses similar to WannaCry
- Microsoft proves Windows 10 computers are vulnerable to hacking to advertise Windows 11
- Apple announced a new, more diverse level of security bug detection bonus
- More than 1,300 phishing kits are being sold on the hacker forum
- There has been hack Among Us and this is how you find out hacker
- With just one link, hacking Facebook accounts has never been so easy
- Here's how I hack 40 websites in 7 minutes
- The latest iOS 11 has been hacked !!!
- The corner of getting rich: A company hung a $ 1 million prize for anyone who hacked WhatsApp and iMessage
- Hackers demand $ 50K from the hacker forum, otherwise they will give no Fed
- Can cybercriminals use ChatGPT to hack your bank or PC?
- How to Unauthorized Access (Hack) a website
Maybe you are interested
What is PetitPotam Attack? How to overcome PetitPotam attack The Microsoft MSERT tool can find web shells related to the Exchange Server attack campaign Many encrypted SSDs can be decoded without a password Wsreset tool of Windows 10 Store was used by hackers to bypass anti-virus software The CredSSP vulnerability in the RDP protocol affects all versions of Windows Detects two serious vulnerabilities on uTorrent that can help hackers execute malicious code or view download history on your computer