SANS NewsBites

Audit Windows Scheduled Tasks to Detect Tarrask Malware; Restore All Security Controls Before Bringing Systems Up from Downtime; US Government Agencies Warn of Active Exploits Against ICS/SCDA Devices Using Custom Tools

April 15, 2022  |  Volume XXIV - Issue #30

Top of the News


2022-04-14

Tarrask Malware Hides in Scheduled Windows Tasks

Researchers from Microsoft’s Detection and Response Team (DART) and Threat Intelligence Center (MTIC) have detected malware that hides in Windows scheduled tasks to evade detection. Dubbed Tarrask, the malware is believed to be used by the Hafnium Chinese state-backed hacking group. Tarrask is able to maintain persistence even after reboots.

Editor's Note

This reminds me of the 3:50am alarm I set for an early flight that I thought I had killed but still manages randomly come on every now and then. Mitigation here is pretty straightforward – know what legitimate scheduled tasks are in use and audit for discrepancies and tasks that are attempted to hide from simple listing.

John Pescatore
John Pescatore

The tasks are hidden due to a bug in Windows where tasks without a security descriptor are not displayed with traditional checks like "schtasks /query." The good news is you can scan the registry to find them, or enable Secuirty.evtx and the Microsoft-Windows-TaskScheduler/Operational.evtx logs in which you can then look for key events related to the malware. The trick is you need to know what's expected to identify anomalies reliably. Leverage the IOC's in the Unit 42 post below to aid detection and thwart C2 channels.

Lee Neely
Lee Neely

2022-04-14

Threat Actors Hung Out on US Government Agency Network for Months

Researchers from Sophos found that threat actors maintained a presence in a government agency’s network for more than five months before deploying ransomware. It appears that at least two different groups of threat actors had access to the network. The attackers gained initial access through open Remote Desktop Protocol (RDP) ports on a firewall that was configures to allow public access to an RDP server. The agency might have been able to detect the attackers’ presence sooner if the agency had deployed multi-factor authentication and a firewall rule blocking access to RDP ports without a VPN connection.

Editor's Note

Many lessons to be learned from this one, but I think the top one is: Looks like this attack was enabled when security controls were turned off during network maintenance and not restored afterwards. That left a PC with local server and domain admin credentials exposed. The attackers had a field day from there. When you take your boat out of the water and you remove the drain plug, job 1 is remembering to put the drain plug back in *before* putting the boat back in the water.

John Pescatore
John Pescatore

Don't make access any easier than it has to be. Do not expose RDP to the Internet, and MFA all remote access mechanisms. Further, make sure you're actively managing accounts for remote access, authorizing only users with legitimate need, revalidate regularly, disable access judiciously. Restrict access to end-user accounts. Admins can elevate after connecting; service accounts shouldn't need to use RDP.

Lee Neely
Lee Neely

2022-04-14

CISA, FBI, DOE, NSA: Custom PIPEDREAM Malware

The US Cybersecurity and Infrastructure Security Agency (CISA), The Department of Energy (DOE), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) have issued a joint cybersecurity advisory warning that advanced persistent threat (APT) actors are using custom tools to target ISC/SCADA devices and gain full system access to multiple devices. The advisory provides technical details and suggested mitigations for strengthening ICS/SCADA security.

Editor's Note

These devices fall into the category of set and forget: once they are working, they will continue, undisturbed, almost indefinitely. The problem is we can't afford to let our guard down, we need to protect them so they can achieve their operational goals. The primary mitigations include segmentation; limiting access to authorized devices and users; using multi-factor authentication wherever possible; changing all default passwords; rotating all static passwords on a regular basis. Make sure your monitoring tools include OT specific capabilities, and keep software/firmware updated.

Lee Neely
Lee Neely

The Rest of the Week's News


2022-04-12

Ukraine Fends Off Power Grid Cyberattack

According to advisories from the Ukrainian Computer Emergency Response Team (CERT-UA) and the Slovakian cybersecurity company ESET, the Russian Sandworm hacking group launched attacks targeting high-voltage electrical substations in Ukraine. The attack was detected and stopped before it could cause any blackouts. CERT-UA says that the hackers gained access to systems at the electric utility earlier this year, but did not deploy the malware, known as Industroyer 2, until last week. The attackers also reportedly deployed wiper malware and a Linux worm.

Editor's Note

Ukraine has been doing battle with Sandworm for a long time and has become adept at shutting down their activity. It's nice to read stories where the attackers were unsuccessful in their disruption of services. What is concerning is that the attackers’ access was not detected sooner. Dwell time is a challenge; make sure that you truly know what normal is and can detect and identify irregular behavior. Monitor not only the security of authorized connections but also look for unauthorized ones, to include blocking unauthorized remote desktop access services.

Lee Neely
Lee Neely

Read more in

Wired: Russia's Sandworm Hackers Attempted a Third Blackout in Ukraine

SC Magazine: ‘The criminals are guided by the Russian Federation’: Ukraine responds to Industroyer2

Bleeping Computer: Sandworm hackers fail to take down Ukrainian energy provider

Cyberscoop: Russian hackers thwarted in attempt to take out electrical grid, Ukrainians say

Vice: Russia’s ‘Infamous Sandworm’ Hackers Tried to Attack Ukraine’s Energy Company





[[90]] RaidForums Taken Down

Europol: One of the world’s biggest hacker forums taken down

Bleeping Computer: RaidForums hacking forum seized by police, owner arrested

Vice: Law Enforcement Seizes RaidForums, One of the Most Important Hacking Sites



[[100]] Fix Available for Elementor WordPress Vulnerability

Wordfence: Critical Remote Code Execution Vulnerability in Elementor

Bleeping Computer: Critical flaw in Elementor WordPress plugin may affect 500k sites

Security Week: Critical Vulnerability in Elementor Plugin Impacts Millions of WordPress Sites



[[110]] DHS Thwarts Cyberattack on Undersea Cable

Star Advertiser: Cyberattack on Hawaii undersea communications cable thwarted by Homeland Security

Cyberscoop: DHS investigators say they foiled cyberattack on undersea internet cable in Hawaii

Hawaii News Now: Federal agents disrupted cyberattack targeting phone, internet infrastructure on Oahu


2022-04-13

CISA: Update to Most Recent Struts 2

Apache says that a 2020 fix for a critical flaw in Apache Struts 2 framework for Java was incomplete. The OGNL (Object-Graph Navigation Library) injection vulnerability could lead to remote code execution. The vulnerability affects Struts versions 2.0.0 through 2.5.59. The US Cybersecurity and Infrastructure Security Agency (CISA) is urging users to update to the most recent version, 2.5.30 or later.

Editor's Note

Deja-vu anyone? The fix is to upgrade to 2.5.30, which has no issues with backward compatibility. Expedite fixing any Internet accessible installations. Also make sure that developers are following the Struts Security tips for added defense in depth, particularly with regards to untrusted input.

Lee Neely
Lee Neely

2022-04-13

Microsoft Patch Tuesday Includes Fix for Flaw That is Being Actively Exploited

On Tuesday, April 12, Microsoft released updates to fix more than 120 vulnerabilities in its products. Ten of the flaws are rated critical. One of the flaws updated is a Windows Common Log File System Driver Execution Vulnerability, which is being actively exploited to gain elevated privileges. The US National Security Agency (NSA) and CrowdStrike reported the vulnerability to Microsoft.

Editor's Note

This patch set includes fixing CVE-2022-24521, which only has a CVSS score of 7.8. However, the exploit complexity rating is low, making it more important to address, as well as CVE-2022-26904 which has published exploit code but relies on a race condition to exploit. There are other vulnerabilities with scores as high as 9.8 which are also addressed. Rather than picking this apart, focus on getting the update deployed.

Lee Neely
Lee Neely

2022-04-13

Aethon Hospital Robot Vulnerabilities Patched

Aethon has released fixes for five vulnerabilities affecting its TUG robots, which are used in hospitals to perform a variety of tasks. The flaws could be exploited to lock elevators and doors, disrupt medication delivery, and gain access to medical records, user credentials, and real time camera feeds. The vulnerabilities are fixed in the latest version of TUG firmware. Aethon has also updated firewalls at hospitals with vulnerable robots so they could not be accessed through the hospitals’ IP addresses.

Editor's Note

I still do a doubletake when I see robots like these in use in hospitals, restaurants, malls, and airports, wondering what could go wrong. In some areas, these robots are used to deliver medicines outside the hospital over pre-determined routes where exploitation of the flaws could be used to crash, misdirect, or otherwise actively interfere with intended operations. Applying the update in some cases is non-trivial, requiring firmware replacements and OS upgrades. The firewall changes provided necessary segmentation and should be viewed as a long-term security measure for robots, medical or otherwise. Remember to consider which of your IT systems they can reach and the impact a compromised device would have.

Lee Neely
Lee Neely

2022-04-14

ZLoader Botnet Disrupted

Microsoft’s Digital Crimes Unit (DCU) has used legal measures to disrupt the ZLoader botnet. ZLoader comprises infected “devices in businesses, hospitals, schools, and homes around the world.” Armed with a court order, Microsoft took control of 65 domains associated with the botnet and redirected them to a Microsoft sinkhole. The court order also allowed Microsoft to take control of 319 fallback ZLoader domains. Microsoft has also linked ZLoader to an individual who lives in Crimea; that person is believed to have created a component that ZLoader uses to spread ransomware. The Microsoft DCU investigation was conducted in partnership with ESET, Black Lotus Labs, Palo Alto Networks, Health-ISAC and the Financial Services-ISAC.

Editor's Note

Ever read a story like this and think "I could do that?" Obtaining a court order, taking over domains and naming names is not something to take on trivially. You need considerable resources and time to include not only research, build the case and implement the actions, but also defend yourself from any blow-back, to include partnerships such as the ones noted above.

Lee Neely
Lee Neely

2022-04-12

RaidForums Taken Down

An international coalition of law enforcement agencies has taken down the RaidForums illegal online marketplace. The RaidForums administrator and two accomplices have been arrested. RaidForums sold access to leaked databases that contained payment card and bank account information. Operation TOURNIQUET, as the effort was dubbed, involved Europol and law enforcement agencies from the US, the UK, Sweden, Portugal, and Romania.

Editor's Note

The forum sold access to more than 10 billion consumer records since it started operation in 2015. The charges levied by the DOJ against the alleged 21-year-old forum administrator, Diogo Santos Cohelo, include conspiracy, aggravated identity theft, and access device fraud.

Lee Neely
Lee Neely

2022-04-13

Fix Available for Elementor WordPress Vulnerability

A critical vulnerability in the Elementor plug-in for WordPress could be exploited to upload and execute malicious code. The flaw appears to have been introduced in version 3.6.0, which was released in March. Users are urged to update to Elementor version 3.6.3 or higher. Elementor has more than five million installs.

Editor's Note

The flaw was introduced when a simplified onboarding module was released which omitted proper nonce checking before executing commands. The update for the Elementor plug-in was released April 12, 2022 and required pressure from the WordPress plugins team to elicit action. Even though WAF rules are available for the paid and free versions on March 29th and April 28th respectively; install the updated plugin regardless.

Lee Neely
Lee Neely

The usual caution that WordPress plug-ins should be used only by design and intent, not by default, and must be actively managed.

William Hugh Murray
William Hugh Murray

2022-04-13

DHS Thwarts Cyberattack on Undersea Cable

Investigators from the US Department of Homeland Security have reportedly foiled an attempted cyberattack against a company that manages undersea communications cable in Hawaii. The attackers breached the servers belonging to the private company, but their actions were thwarted before they caused any damage. A suspect has been arrested.

Editor's Note

When someone mentions risks to undersea cables, I think of anchors or other physical impacts. It turns out the better attack vector is a logical path targeting companies or services which are managing the onshore connection points. These rely on remote management and administration tools to offset having staff physically present at these locations. While remote management is a good option, it needs to be done securely and those systems closely monitored for attempted malfeasance. Additionally, physical security also needs to be appropriate to thwart and deter direct interaction. Don't ignore lifecycle updates to keep the bar high. It's also a good idea to schedule regular physical verification actions commensurate with the risk of compromise.

Lee Neely
Lee Neely

After prevention, early detection is the efficient tactic. A retrospective reading of the Verizon Data Breach Incident Report suggests that we are not good at it, weeks to months, and not getting better. This exception to the rule suggests that hours to days is possible.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

An Update on CVE-2022-26809 MSRPC Vulnerability - PATCH NOW

https://isc.sans.edu/forums/diary/An+Update+on+CVE202226809+MSRPC+Vulnerabliity+PATCH+NOW/28550/

Webcast: https://www.sans.org/webcasts/cve-2022-26809-ms-rpc-vulnerability-analysis/

https://twitter.com/splinter_code/status/1514653941304369153


Update on Windows Patches and CVE-2022-26809

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26809


Microsoft April 2022 Patch Tuesday

https://isc.sans.edu/forums/diary/Microsoft+April+2022+Patch+Tuesday/28542/


How is Ukrainian Internet Holding Up During Russian Invasion

https://isc.sans.edu/forums/diary/How+is+Ukrainian+internet+holding+up+during+the+Russian+invasion/28546/


Google Chrome 0-Day Patch

https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_14.html


Cisco Webex Phones Home Audio Telemetry

https://wiscprivacy.com/papers/vca_mute.pdf


Grafana Enterprise Vulnerability

https://grafana.com/blog/2022/04/12/grafana-enterprise-8.4.6-released-with-high-severity-security-fix/


Adobe Updates

https://helpx.adobe.com/security/products/photoshop/apsb22-20.html


Apache Struts 2 Update

https://cwiki.apache.org/confluence/display/WW/S2-062


NGINX Statement To LDAP Weakness

https://www.nginx.com/blog/addressing-security-weaknesses-nginx-ldap-reference-implementation/


Attacks on Ukrainian Power Grid

https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/