Audit Windows Scheduled Tasks to Detect Tarrask Malware; Restore All Security Controls Before Bringing Systems Up from Downtime; US Government Agencies Warn of Active Exploits Against ICS/SCDA Devices Using Custom Tools

This reminds me of the 3:50am alarm I set for an early flight that I thought I had killed but still manages randomly come on every now and then. Mitigation here is pretty straightforward – know what legitimate scheduled tasks are in use and audit for discrepancies and tasks that are attempted to hide from simple listing.

John Pescatore

The tasks are hidden due to a bug in Windows where tasks without a security descriptor are not displayed with traditional checks like "schtasks /query." The good news is you can scan the registry to find them, or enable Secuirty.evtx and the Microsoft-Windows-TaskScheduler/Operational.evtx logs in which you can then look for key events related to the malware. The trick is you need to know what's expected to identify anomalies reliably. Leverage the IOC's in the Unit 42 post below to aid detection and thwart C2 channels.

Lee Neely

Many lessons to be learned from this one, but I think the top one is: Looks like this attack was enabled when security controls were turned off during network maintenance and not restored afterwards. That left a PC with local server and domain admin credentials exposed. The attackers had a field day from there. When you take your boat out of the water and you remove the drain plug, job 1 is remembering to put the drain plug back in *before* putting the boat back in the water.

John Pescatore

Don't make access any easier than it has to be. Do not expose RDP to the Internet, and MFA all remote access mechanisms. Further, make sure you're actively managing accounts for remote access, authorizing only users with legitimate need, revalidate regularly, disable access judiciously. Restrict access to end-user accounts. Admins can elevate after connecting; service accounts shouldn't need to use RDP.

Lee Neely

These devices fall into the category of set and forget: once they are working, they will continue, undisturbed, almost indefinitely. The problem is we can't afford to let our guard down, we need to protect them so they can achieve their operational goals. The primary mitigations include segmentation; limiting access to authorized devices and users; using multi-factor authentication wherever possible; changing all default passwords; rotating all static passwords on a regular basis. Make sure your monitoring tools include OT specific capabilities, and keep software/firmware updated.

Lee Neely

Ukraine has been doing battle with Sandworm for a long time and has become adept at shutting down their activity. It's nice to read stories where the attackers were unsuccessful in their disruption of services. What is concerning is that the attackers’ access was not detected sooner. Dwell time is a challenge; make sure that you truly know what normal is and can detect and identify irregular behavior. Monitor not only the security of authorized connections but also look for unauthorized ones, to include blocking unauthorized remote desktop access services.

Lee Neely

Deja-vu anyone? The fix is to upgrade to 2.5.30, which has no issues with backward compatibility. Expedite fixing any Internet accessible installations. Also make sure that developers are following the Struts Security tips for added defense in depth, particularly with regards to untrusted input.

Lee Neely

This patch set includes fixing CVE-2022-24521, which only has a CVSS score of 7.8. However, the exploit complexity rating is low, making it more important to address, as well as CVE-2022-26904 which has published exploit code but relies on a race condition to exploit. There are other vulnerabilities with scores as high as 9.8 which are also addressed. Rather than picking this apart, focus on getting the update deployed.

Lee Neely

I still do a doubletake when I see robots like these in use in hospitals, restaurants, malls, and airports, wondering what could go wrong. In some areas, these robots are used to deliver medicines outside the hospital over pre-determined routes where exploitation of the flaws could be used to crash, misdirect, or otherwise actively interfere with intended operations. Applying the update in some cases is non-trivial, requiring firmware replacements and OS upgrades. The firewall changes provided necessary segmentation and should be viewed as a long-term security measure for robots, medical or otherwise. Remember to consider which of your IT systems they can reach and the impact a compromised device would have.

Lee Neely

Ever read a story like this and think "I could do that?" Obtaining a court order, taking over domains and naming names is not something to take on trivially. You need considerable resources and time to include not only research, build the case and implement the actions, but also defend yourself from any blow-back, to include partnerships such as the ones noted above.

Lee Neely

The forum sold access to more than 10 billion consumer records since it started operation in 2015. The charges levied by the DOJ against the alleged 21-year-old forum administrator, Diogo Santos Cohelo, include conspiracy, aggravated identity theft, and access device fraud.

Lee Neely

The flaw was introduced when a simplified onboarding module was released which omitted proper nonce checking before executing commands. The update for the Elementor plug-in was released April 12, 2022 and required pressure from the WordPress plugins team to elicit action. Even though WAF rules are available for the paid and free versions on March 29th and April 28th respectively; install the updated plugin regardless.

Lee Neely

The usual caution that WordPress plug-ins should be used only by design and intent, not by default, and must be actively managed.

William Hugh Murray

When someone mentions risks to undersea cables, I think of anchors or other physical impacts. It turns out the better attack vector is a logical path targeting companies or services which are managing the onshore connection points. These rely on remote management and administration tools to offset having staff physically present at these locations. While remote management is a good option, it needs to be done securely and those systems closely monitored for attempted malfeasance. Additionally, physical security also needs to be appropriate to thwart and deter direct interaction. Don't ignore lifecycle updates to keep the bar high. It's also a good idea to schedule regular physical verification actions commensurate with the risk of compromise.

Lee Neely

After prevention, early detection is the efficient tactic. A retrospective reading of the Verizon Data Breach Incident Report suggests that we are not good at it, weeks to months, and not getting better. This exception to the rule suggests that hours to days is possible.

William Hugh Murray