The Hafnium threat group is one Microsoft has faced before, previously causing chaos on Microsoft Exchange servers last year. Now the group is back, and this time using the “Tarrask” malware to target Microsoft’s Windows platform.
Hafnium is known as a state-sponsored hacking group. Microsoft says it has found the defense evasion malware Tarrask within Windows. According to the Microsoft Detection and Response Team (DART), the OS remains vulnerable to attack.
“As Microsoft continues to track the high-priority state-sponsored threat actor HAFNIUM, new activity has been uncovered that leverages un-patched zero-day vulnerabilities as initial vectors. Further investigation reveals forensic artifacts of the usage of Impacket tooling for lateral movement and execution and the discovery of a defense evasion malware called Tarrask that creates ‘hidden’ scheduled tasks, and subsequent actions to remove the task attributes, to conceal the scheduled tasks from traditional means of identification.”
Microsoft is now tracking the activities of Hafnium and says the group is using new exploit methods to enter Windows subsystem. For example, it is using a previously unknown vulnerability in Windows to hide Tarrask within Task Scheduler.
One of the reasons the malware is potent is because it is adept at evading detection. It achieves this by deleting the Security Descriptor registry that it should come with. This means there is a bug within Windows Task Scheduler that Microsoft has yet to issue a patch for.
Microsoft points out the attack highlights why Hafnium is a threat to Windows:
“The attacks we described signify how the threat actor HAFNIUM displays a unique understanding of the Windows subsystem and uses this expertise to mask activities on targeted endpoints to maintain persistence on affected systems and hide in plain sight.”
This bug is actively helping the malware covers its tracks and remain undetected within Windows. Microsoft DART is recommending users enable logging for “TaskOperational” in the Microsoft-Windows-TaskScheduler/Operational Task Scheduler log.
Tip of the day: Though many VPN providers have their own apps, you can in many cases connect to a VPN in Windows without any third-party software. This is ideal if you have a self-hosted VPN or if you’re using a PC with restricted permissions. In our tutorial, we’re showing you how to connect to a VPN in Windows.