Windows Task Scheduler enables windows users and administrators to perform automated tasks at specific time intervals. Scheduled tasks has been commonly abused as a method… 
Continue reading → Persistence – Scheduled Task Tampering

Windows Task Scheduler enables windows users and administrators to perform automated tasks at specific time intervals. Scheduled tasks has been commonly abused as a method of persistence by threat actors and red teams and therefore this technique has drawn a lot of attention from SOC teams which are monitoring specific Windows Event ID’s in order to identify modifications in Windows Scheduled Tasks.

The _schtasks_ utility is part of the Windows ecosystem and can be used to tamper (create or modify) a schedule task in order to execute an arbitrary implant and establish persistence under the context of a standard user or administrator. Microsoft has disclosed artifacts from the HAFNIUM threat actor which has led to the discovery of a new approach which evades the usage of _schtasks_ which might be heavily monitored and leverage the Windows registry to tamper scheduled tasks. Manipulation of registry keys to create or modify scheduled tasks doesn’t generate the typical noise (Event ID 4698 & 106) and offers a stealthier approach of establishing persistence.

Scheduled Tasks are stored in registry in the following locations:

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree

The registry key _Tree_ contains the scheduled tasks by name and each task has the following registry keys:

Default

Empty

Id

GUID of the Task

Index

DWORD value

SD

Security Descriptor of the Task

The above registry keys structure can be re-created to generate a new scheduled task. It should be noted that removal of the SD registry key will result the task not to be visible in the Task Scheduler or when using the command _schtasks /query_. However, elevated privileges (SYSTEM) are required in order to create or remove these registry keys.

Registry Scheduled Tasks Tree

The registry key _Tasks_ contains the GUID of the scheduled task (mapping to the Id value of the Tree registry key) and other registry keys which are required to run a scheduled task such as:

*   Task Trigger
*   Task Action
*   Path

The information is formatted in encoded keys and binary blobs. Microsoft has also disclosed that deleting the registry keys _Tasks_ & _Tree_ will not have any effect in the scheduled task as it will continue to run with the defined parameters until the _svchost_ process is terminated or the system is rebooted.

Registry Scheduled Tasks

**Create New Task**

Chris Au developed a beacon object file called GhostTask which implements the stealth technique of Scheduled Task tampering. GhostTask can create the registry structure for the arbitrary scheduled task directly from memory. Executing the following command will run the implant on a daily basis at a specific time.

    GhostTask.exe localhost add pentestlab "cmd.exe" "/c demon.x64.exe" red\Administrator daily 11:30

Scheduled Tasks – Create New Task

The information about the newly created task will be displayed at the end of the console.

Scheduled Tasks – Create New Task output

Examining the registry will verify that the registry keys have been been created successfully.

Scheduled Task Tampering – Arbitrary Task

Scheduled Task Tampering – Task Information

The command that will run the implant will be stored in the actions key.

Scheduled Task Tampering – Actions Registry Key

**Task Modification**

GhostTask can be also used to tamper an existing scheduled task with an arbitrary beacon for a more stealthier approach. Execution of the following command will modify the _CacheTask_ in order to execute the beacon under the context of the user _peter_ on a daily basis at a specific time interval.

    GhostTask.exe localhost add "Microsoft\Windows\Wininet\CacheTask" "cmd.exe" "/c C:\Users\peter\Downloads\demon.x64.exe" red/peter daily 11:37

Scheduled Task Tampering – Task Tampering

Looking at the _Task Scheduler_ will verify that the task has been modified successfully.

Scheduled Task Tampering – Scheduled Tasks

The default implant of Havoc Command and Controller supports a scheduled task bof which can be used to query the tampered scheduled task from the implant.

    schtasksquery Microsoft\Windows\Wininet\CacheTask

Havoc C2 – Scheduled Task Query

The XML schema of the scheduled task will be displayed in the output as an alternative method to verify that the task has been tampered.

Havoc C2 – Scheduled Task Enumeration

Once the scheduled task is executed a connection will be established.

Scheduled Task Tampering – Havoc C2 Session

**References**

*   https://labs.withsecure.com/publications/scheduled-task-tampering
*   https://github.com/netero1010/GhostTask
*   https://posts.specterops.io/abstracting-scheduled-tasks-3b6451f6a1c5
*   https://cyber.wtf/2022/06/01/windows-registry-analysis-todays-episode-tasks/

**Post navigation**

Persistence – Scheduled Task Tampering

By Deeba Ahmed
Scammers taking advantage of a humanitarian crisis? Well, who saw that coming...
This is a post from HackRead.com Read the original post: Crypto Scammers Exploit Gaza Crisis, Deceiving Users in Donation Scam

Cybersecurity researchers reveal a new crypto donation scam manipulating the humanitarian crisis in Gaza, with scammers preying on sympathy for Palestinian children to solicit funds – Over 200 individuals and numerous organizations have fallen victim to the elaborate scheme.

Cybersecurity researchers at Abnormal Security have uncovered a deceptive new crypto donation scam exploiting the humanitarian crisis in Gaza where scammers trick users by generating sympathy for Palestinian children to request donations. Around 212 individuals across 88 organizations have become targets of this charity attack.

Threat actors like to capitalize on geopolitical events as trapping people and gaining sympathy becomes easier. We witnessed the same in the case of the missing Malaysian flight MH370, how scammers propagated fake videos and images, falsely claiming that the missing jet was found in the Bermuda Triangle. In reality, they exploited the incident to spread malicious links.

In the latest fraud campaign, scammers send emails that are apparently sent by a group called “help-palestinecom.” The sender urges the recipients to contribute to their campaign to support Palestinian families.

It is worth noting that scammers ask for donations in cryptocurrency ranging from $100 to $5000 and include cryptocurrency wallet addresses for Bitcoin, Ethereum, and Litecoin to avoid being tracked.

Unsuspecting users fall for the lure and donate, thinking that this money would help provide Palestinian children with basic needs such as medical care, clean water, and internet access. 

To enhance the email’s legitimacy, the scammers have included links to three of the latest news articles on the impact of the conflict on children. Moreover, they have strategically used emotionally stirring language to emphasize the challenges of children in Palestine.

For instance, they used “children in Palestine face unimaginable challenges daily,” “a lifeline for these children caught in the crossfire,” and “the children in Palestine are dying.” To avoid detection, scammers have used multiple tactics, including spoofing the email address of an Indian stock brokerage firm Goodwill Wealth Management and creating a fake domain.

According to Abnormal Security’s CISO and advisory author, Mike Britton, legacy secure email gateways (SEGs) fail to detect this scam because of social engineering techniques used by scammers and the absence of apparent indicators such as grammatical errors or payloads. Britton emphasized the need for AI-based email security solutions that could distinguish between malicious and genuine content.

“AI-powered email security platform is trained to identify social engineering tactics, it recognizes that this email is attempting to leverage emotional manipulation to convince the target to bypass rational thinking and quickly transfer funds. It can also detect and flag the mismatch between the sender’s email and the reply-to address, as this is a common attack tactic,” Britton explained.

The scam email sent by scammers for a crypto donation scam (Credit: Abnormal Security)

The scam is the latest to join the manipulative attacks exploiting ongoing geopolitical crises. The FBI issued warnings on 6 and 14 November 2023 to alert users about fraudsters attempting to exploit the war in Gaza.

The bureau highlighted that fraudsters can use emails, social media, cold calls, crowdfunding sites, and charities/fundraisers to solicit payments. FBI warnings noted that apart from opportunistic cybercriminals, terrorist organizations can also establish fake charities to “subsidize their operations.”

Users are, therefore, advised to exercise caution and verify the legitimacy of the sender and their claims before donating.

****_RELATED ARTICLES_****

1.  **Scammers using fake WHO Bitcoin wallet to steal donation**
2.  **Ransomware group donates $20,000 in BTC to two charities**
3.  **US disrupts 3 cryptocurrency campaigns run by terror groups**
4.  **Black Lives Matter movement exploited to spread Trickbot malware**
5.  **Indian PM Modi’s Twitter handle hacked to ask for Bitcoin donations**

Crypto Scammers Exploit Gaza Crisis, Deceiving Users in Donation Scam

By Deeba Ahmed
Czech Republic Police Expose 'Fake Bankers' Gang in $8.7 Million Vishing Operation.
This is a post from HackRead.com Read the original post: Multimillion-Dollar Vishing Scam Busted: Czech-Ukrainian Gang Arrested

Europol Warns of Growing Vishing Trend as Criminals Exploit Phone Calls for Massive Financial Gains

Ukrainian and Czech police under the supervision of Europol have dismantled a criminal gang that stole millions of dollars from bank customers in Czechia through vishing scams. According to Europol’s press release, the police also arrested ten suspects (aged 18-29) in connection with the multimillion-dollar fraud ring.

A joint investigation was initiated by Europol that led to the arrest of four individuals in Czechia and six in Ukraine in April 2023. Those arrested from Ukraine were later extradited to Czechia.

During the crackdown, investigators seized SIM cards, mobile phones, and computer equipment from the suspects’ vehicles, call centers, residences, and offices located in Czechia (Domazlice, Rokycany, and Plzen) and Ukraine (Dnipropetrovsk). Some of the suspects had a history of drug offences, violent crimes, and document forgery.

The criminal organization, based in Ukraine, conducted vishing attacks against Czech victims. They operated from call centers in Ukraine and called bank customers using spoofed phone numbers, posing as bank security officers. This scamming method is called vishing (created by combining voice and phishing).

The targets were told that their bank account was hacked and lured into revealing their banking data, such as credit card numbers, login credentials, and other details. Scammers also made phone calls pretending to be a police official to confirm the hacking.

After gaining trust, the scammers persuaded their victims to transfer funds from their “compromised” bank accounts to “safe” bank accounts, which the scammers owned. Through these scams, the fraudsters made approximately $8.7 million (€8 million) from victims in Czechia alone.

The Czech Republic police uncovered this scam. In November 2021, they contacted Eurojust to launch an investigation. Europol then formed a joint investigation team in June 2022, comprising Europol’s European Cybercrime Centre (EC3) officials and the Czech and Ukrainian investigators. The agency organized five meetings to facilitate judicial cooperation between the authorities.

The police called the gang’s activities one of the **“most extensive series of frauds committed through fake bankers.”** Currently, Europol is conducting analytical work and providing digital forensic support for the confiscated equipment.

Image via Czech Republic police

Vishing fraud has become more widespread and popular lately. It usually involves someone pretending to be from a reputable organization, institution, or government agency and deceiving people into disclosing confidential, personal data.

The severity of vishing scams is highlighted by the September 2023 incident when the notorious ALPHV (BlackCat) ransomware gang exploited vishing to deceive an MGM Resorts employee, enabling them to breach the company’s security and compromise its network.

To protect yourself from such scams, always be cautious of unsolicited phone calls, note the caller’s phone number, and tell them you will call back and quickly verify their identity by calling the organization.

Don’t believe any caller if they have basic information about you because it could be taken from social media. Lastly, keep your credit/ debit card PIN or online banking password private because bank representatives would never ask for this information.

****_RELATED ARTICLES_****

1.  **Police Dismantle SIM Swapping Gang in Spain**
2.  **48 DDoS-hiring Services Busted by FBI in Major Sweep**
3.  **Cisco Breach – Employee’s Google Account was Hacked**
4.  **The Types of Phishing Attacks and How to Dodge All of Them**
5.  **SpyNote Spyware Using SMS Phishing Against Banking Customers**

Multimillion-Dollar Vishing Scam Busted: Czech-Ukrainian Gang Arrested

Plus: The FBI's baffling inaction on a ransomware group, a massive breach of Danish electric utilities, and more.

If you’re looking for a long read to while away your weekend, we’ve got you covered. First up, WIRED senior reporter Andy Greenberg reveals the wild story behind the three teenage hackers who created the Mirai botnet code that ultimately took down a huge swath of the internet in 2016. WIRED contributor Garrett Graff pulls from his new book on UFOs to lay out the proof that the 1947 “discovery” of aliens in Roswell, New Mexico, never really happened. And finally, we take a deep dive into the communities that are solving cold cases using face recognition and other AI.

That’s not all. Each week, we round up the security and privacy stories we didn’t report in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

For years, mercenary hacker companies like NSO Group and Hacking Team have repeatedly been the subject of scandal for selling their digital intrusion and cyberespionage services to clients worldwide. Far less well-known is an Indian startup called Appin that, from its offices in New Delhi, enabled customers worldwide to hack whistleblowers, activists, corporate competitors, lawyers, and celebrities on a giant scale.

In a sprawling investigation, Reuters reporters spoke to dozens of former Appin staff and hundreds of its hacking victims. It also obtained thousands of its internal documents—including 17 pitch documents advertising its “cyber spying” and “cyber warfare” offerings—as well as case files from law enforcement investigations into Appin launched from the US to Switzerland. The resulting story reveals in new depth how a small Indian company “hacked the world,” as Reuters writes, brazenly selling its hacking abilities to the highest bidder through an online portal called My Commando. Its victims, as well as those of copycat hacking companies founded by its alumni, have included Russian oligarch Boris Berezovsky, Malaysian politician Mohamed Azmin Ali, targets of a Dominican digital tabloid, and a member of a Native American tribe who tried to claim profits from a Long Island, New York, casino development on his reservation.

The ransomware group known as Scattered Spider has distinguished itself this year as one of the most ruthless in the digital extortion industry, most recently inflicting roughly $100 million in damage to MGM Casinos. A damning new Reuters report—their cyber team has had a busy week— suggests that at least some members of that cybercriminal group are based in the West, within reach of US law enforcement. Yet they haven't been arrested. Executives of cybersecurity companies who have tracked Scattered Spider say the FBI, where many cybersecurity-focused agents have been poached by the private sector, may lack the personnel needed to investigate. They also point to a reluctance on the part of victims to immediately cooperate in investigations, sometimes depriving law enforcement of valuable evidence.

Denmark's critical infrastructure Computer Emergency Response Team, known as SektorCERT, warned in a report on Sunday that hackers had breached the networks of 22 Danish power utilities by exploiting a bug in their firewall appliances. The report, first revealed by Danish journalist Henrik Moltke, described the campaign as the biggest of its kind to ever target the Danish power grid. Some clues in the hackers' infrastructure suggest that the group behind the intrusions was the notorious Sandworm, aka Unit 74455 of Russia's GRU military intelligence agency, which has been responsible for the only three confirmed blackouts triggered by hackers in history, all in Ukraine. But in this case, the hackers were discovered and evicted from the target networks before they could cause any disruption to the utilities' customers.

Last month, WIRED covered the efforts of a whitehat hacker startup called Unciphered to unlock valuable cryptocurrency wallets whose owners have forgotten their passwords—including one stash of $250 million in bitcoin stuck on an encrypted USB drive. Now, the same company has revealed that it found a flaw in a random number generator widely used in cryptocurrency wallets created prior to 2016 that leaves many of those wallets prone to theft, potentially adding up to $1 billion in vulnerable money. Unciphered found the flaw while attempting to unlock $600,000 worth of crypto locked in a client's wallet. They failed to crack it but in the process discovered a flaw in a piece of open-source code called BitcoinJS that left a wide swath of other wallets potentially open to be hacked. The coder who built that flaw into BitcoinJS? None other than Stefan Thomas, the owner of that same $250 million in bitcoin locked on a thumb drive.

The Startup That Transformed the Hack-for-Hire Industry

Beyond the blinding speeds and sharp turns on new terrain, the teams at this weekend’s big F1 race are preparing for another kind of danger.

Every Formula 1 race weekend is essentially a pop-up event in a different city around the world, bringing 10 teams, their cars, and their entire mobile infrastructure to Australia, Singapore, Monaco, and beyond. This weekend's Las Vegas Grand Prix is especially unscripted, though, because the event is Formula 1's debut in Sin City. Cold weather and a rogue drain cover on the track have already injected some chaos into the spectacle. But as they prepared for the event, cybersecurity specialists from McLaren Racing, the city of Las Vegas, and the security firm Darktrace told WIRED that they aren't deterred—their whole job is to expect the unexpected.

Major live sporting events are a prime target for hackers because they are prominent, highly visible, and draw international attention. Russia's notorious attempt to target the 2018 Winter Olympics in South Korea, for example, included both disruptive attacks and hacks for information gathering. All sports now incorporate advanced elements of digital analysis and quantified performance, but Formula 1 is a particularly data-heavy sport. Race cars are essentially giant sensor arrays that are hurtling around at more than 200 miles per hour, generating massive amounts of information. The quicker teams can crunch the numbers from the track, the sooner they can determine which strategies and modifications to employ in real time or in preparation for the final race of the weekend. But a denial of service attack on any of a team’s engineering systems, one that disrupts their real-time communications, or theft of intellectual property could be disastrous for an F1 team.

“We’re a very public sport,” says Ed Green, McLaren's head of commercial technology. “Our people are known and where we’re racing is known and what we do is known. And while there are lots of unknown things about our operation, lots of what we do is public so people can find out information and start to target us. So what we’re trying to do is make sure that security is part of the team and an additive part of what we do.”

Green describes McLaren's setup at each race as “an extension of the office for the weekend.” The infrastructure is a sort of mobile data center where, for example, the pit crew on the ground is working as a remote part of the garage back at headquarters. This means that a crucial component of the entire operation is reducing latency in the digital connection between the track and home base—a geographic and network distance that varies significantly from weekend to weekend as the season plays out around the world. Green says that during the Brazil race in Sao Paulo at the beginning of November, McLaren was connected to its HQ in England with just a 223-millisecond delay.

“We pull down 1.5 terabytes of data a weekend and run 50 million simulations over the course of a weekend. And I would break down the importance of cybersecurity in a few different buckets,” McLaren CEO Zak Brown says. “We have the design IP of our race car, and that is highly confidential trade secrets that we're moving around a lot. We're dealing with third parties and racing around the world. And then we have all the data that is going on at the race track, where we're literally making split-second decisions.”

Darktrace, which provides digital defense services for McLaren and has also worked with the city of Las Vegas on its cybersecurity for years, says that phishing, business email compromise, and other scams are the types of attacks its real-time, artificial-intelligence-based threat monitoring system detects and blocks most often related to Formula 1, both day to day and on race weekends.

“One of the things that I've learned from being a partner with McLaren is the car changes continuously, every race there are things that are changing, new elements being introduced based on the track conditions,” says Nicole Eagan, Darktrace's chief strategy and AI officer. “It's a continuous updating and changing of IP that's much more dynamic than in other industries that we protect.”

All of this change and quick communication both within an organization and with third parties creates potential opportunities for scammers. But McLaren's Brown also notes that Formula 1 teams need to be wary of their position on the global stage.

“It's one thing to lock down Fort Knox—we’re moving 24 times around the world into different countries, from China to Saudi Arabia to Las Vegas,” he says. “Each one has its own challenges. With the growth of the sport, how much technology we use and where we're racing, people will attempt to use our sport sometimes in a political nature. There are bad actors that can potentially come at us from every angle and for every reason, some of which aren't personal. So therefore cybersecurity is right at the top of the list when we go through our IT needs.”

While Darktrace chief information security officer Mike Beck agrees that geopolitics and hacktivism can pose a threat to a sport with as much global reach as F1, he adds that competitive racing's simple and straightforward goal is an advantage for defenders.

“The mission is so clear, get that car around the track as fast as possible and make sure no one steals your IP and you don’t get locked out,” he says. “When you get that sort of clarity on a mission you can articulate risk really, really well.”

While preparing for the Formula 1 race weekend has been a logistical challenge in many ways, Michael Sherwood, Las Vegas' chief innovation and technology officer, says that the city is well positioned to handle the cybersecurity component because it deals with so many high-profile events throughout the year. Las Vegas has also invested in smart city infrastructure and already defends a massive array of deployed sensors and other networked devices.

Recent cyberattacks that targeted some of Las Vegas' entertainment giants, including Caesar's and MGM Resorts, have put the city on even higher alert, Sherwood says. But he adds that whether he's working on digital defenses for the Grand Prix, New Year's Eve, or just a regular night of epic Vegas partying, “there’s no resting. This is the world we live in—you’re on guard all the time, preparing and prepping.”

Inside the Race to Secure the F1 Las Vegas Grand Prix

OpenCRX version 5.2.0 is vulnerable to HTML injection via Activity Saved Search Creation.

**Cross-site Scripting in OpenCRX**

Moderate severity GitHub Reviewed Published Nov 18, 2023 to the GitHub Advisory Database • Updated Nov 20, 2023

GHSA-5phw-6g3r-55xx: Cross-site Scripting in OpenCRX

OpenCRX version 5.2.0 is vulnerable to HTML injection via the Category Creation Name Field.

GHSA-hhcf-79pm-r8r9: Cross-site Scripting in OpenCRX

OpenCRX version 5.2.0 is vulnerable to HTML injection via the Product Configuration Name Field.

GHSA-96q4-7fwr-gmxh: Cross-site Scripting in OpenCRX

OpenCRX version 5.2.0 is vulnerable to HTML injection via the Accounts Name Field.

GHSA-chj5-8wxj-rxg8: Cross-site Scripting in OpenCRX

OpenCRX version 5.2.0 is vulnerable to HTML injection via Activity Milestone Name Field.

Tag

#git