Microsoft: These hackers

Microsoft: These hackers: Attackers with a “unique understanding” of the Windows subsystem are using it to mask their activities.

Microsoft has exposed Tarrask, a piece of malware from a likely China-backed, a state-sponsored hacking group that targets Windows machines by creating invisible scheduled software updates.

The Windows maker has attributed the malware to Hafnium, the same hacking group that the US and UK blamed on Exchange Server hacks last year.  

Microsoft: These hackers are targeting emergency response and security organizations in Ukraine

Actinium, a hacking group linked to Russia’s Federal Security Service (FSB), uses phishing emails as a way to infiltrate government, defense, and security agencies.

Trask is a simple piece of malware that creates unwanted scheduled tasks on Windows machines to remain on it after a reboot. The malware utilizes the Windows Task Scheduler, which admins can legitimately use to automate tasks such as software updates for browsers and other apps, but in this case, the attackers are using it for nefarious reasons. 

SEE: Windows 11 security: How to protect your home and small business PCs

Microsoft: Lapsus$ Gained ‘Limited Access’ In Hack Attack

‘No customer code or data was involved in the observed activities,’ according to the blog post. ‘Our investigation has found a single account had been compromised, granting limited access.’

Scheduled tasks have become a popular manner of hacking Windows machines for persistence. Microsoft found the Russian hackers behind the SolarWinds supply chain hack were also using scheduled tasks to gain persistence on a machine.   

“We’ve found that threat actors commonly make use of this service to maintain persistence within a Windows environment,” Microsoft notes in a blogpost, and despite its “simplicity”, it’s effective.

Tarra’s malware generates certain registry keys upon the creation of a scheduled task, whether using the Task Scheduler graphical user interface or the schtasks command-line utility.

In this case, the use by hackers of Windows Task Scheduler was part of a broader attack on the Zoho Manage Engine Rest API authentication bypass vulnerability, tracked as CVE-2021-40539. Microsoft was tracking the exploitation of this bug in November because China-backed hackers were using Zoho’s password management and single sign-on software to compromise Windows machines with the Godzilla web shell. 

Explained: All about Lapsus$, the hacker group that has targeted Microsoft, Samsung, Okta, Nvidia

Microsoft says Hafnium hackers were using this combination of legitimate Windows services and Zoho’s bug from August 2021 to February 2022 to target organizations in the telecommunication, internet service provider, and data services sector. In mid-2021, the group had targeted disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.

Tarras creates hidden scheduled tasks, but also creates additional actions to hide the scheduled tasks from detection by antivirus. 

SEE Cybersecurity: Let’s get tactical (ZDNet special report)

Microsoft offers instructions as to how defenders can manually check the registry tree to see whether attackers have created these unwanted scheduled tasks. 

Microsoft acknowledges that Hafnium hackers have developed a “unique understanding of the Windows subsystem” and use it to “hide in plain sight”. 

Microsoft confirms hacker group Lapsus$ breached its systems

Microsoft Corp said that the hacker group Lapsus$ gained “limited access” to its systems, following a claim by the group that it obtained source code for the Bing search engine and Cortana voice assistant.

As Microsoft notes, the methods used by this attack group are “problematic” for systems that don’t get rebooted that often. These can include critical systems like domain controllers and database servers. 

Microsoft has some steps for admins to take to ensure these hidden scheduled tasks can be detected.

“The threat actors in this campaign used hidden scheduled tasks to maintain access to critical assets exposed to the internet by regularly re-establishing outbound communications with C&C infrastructure. Remain vigilant and monitor uncommon behavior of your outbound communications by ensuring that monitoring and alerting for these connections from these critical Tier 0 and Tier 1 assets are in place,” it said. 


  • Using Russian tech? Look at the risks again
  • Hundreds more packages were found in malicious npm ‘factory’
  • The 5 best VPN services compared
  • Apple updates macOS, iOS, and iPadOS to fix possibly exploited zero-day flaws
  • Is it safe to use text messages for 2-factor authentication?

Microsoft: These are the Windows Update policies to use for your PCs (and rollercoasters)

Wondering about Windows updates for PCs or kiosks, billboards, and rollercoasters? Microsoft has it covered.

Microsoft has detailed how you should use Windows Update policies to keep your devices updated and secure, from single-user devices right through to kiosks and billboards – and rollercoasters.

The tech giant’s first bit of advice for admins using Windows Group Policy to manage enterprise Windows 10 and Windows 11 devices is don’t mess too much with the defaults. 

Microsoft has detailed how you should use Windows Update policies to keep your devices updated and secure, from single-user devices right through to kiosks and billboards – and rollercoasters.

Microsoft confirms Lapsus$ hackers stole source code via ‘limited’ access

The tech giant’s first bit of advice for admins using Windows Group Policy to manage enterprise Windows 10 and Windows 11 devices is don’t mess too much with the defaults. 

SEE: Windows 11 security: How to protect your home and small business PCs

Admins can use Group Policy to control the timing of updates for Patch Tuesday, emergency patches, and new feature releases of Windows. The default for Windows Update in the enterprise is much like the experience for consumers on Windows PCs. But there are many other ways Windows and Windows Update is used to keep all manner of devices operational when needed and also patched regularly during downtime. 

The default Windows Update policy is for devices to scan daily, automatically download and install any applicable updates “at a time optimized to reduce interference with usage, and then automatically try to restart when the end-user is away,” according to Microsoft senior program manager Aria Carley. 

“Leverage the defaults!” Carley said. 

But there are so many use cases for Windows that the defaults can’t cover every scenario. Besides single-user personal Windows devices, there are multi-user devices; education devices; kiosks and bank ATMs; factory machines, rollercoasters, and critical infrastructure; and Microsoft Teams Rooms devices.

Microsoft confirms it was hacked — what does this mean for you?

While the defaults are a good baseline, Carley offers details about how to use Group Policy to tweak the timing of automatic updates for each use case. She’s also compiled a list of 25 Group Policy settings that admins should not use. 

For use cases where Group Policy can be used, admins can specify “the number of days before an update is forced to install” during active hours, when the user may be present. This applies to single-user devices that could be connected to the corporate network or used remotely. 

Microsoft recommends the use of deadlines because of heightened security risks from ransomware and destructive malware. The US Cybersecurity and Infrastructure Security Agency (CISA) is concerned destructive malware may target US organizations due to US sanctions on Russia over its invasion of Ukraine.   

Multi-user devices like HoloLens or a PC in a lab or library setting may have set periods in which they are used, such as a building’s opening hours. Updating these at midnight, when staff is away, could be ideal. 

For education devices, admins can ensure Windows update notifications or automatic reboots don’t happen during the school day. To do this while remaining patched, admins can check the new Group Policy box option “Apply only during active hours”. 

However, this feature is currently only for devices in the Windows Insider Program for Business in the Dev or Beta channels. Microsoft notes: “For those on Windows 10 or Windows 11, version 21H2 devices, we do not recommend configuring this and instead recommend leveraging the default experience.”

Another relevant Group Policy setting is “Turn off auto-restart for updates during active hours”, which overrides Microsoft’s default “intelligent active hours” – a measure that is calculated on the devices based on user usage. 

SEE: How to talk about tech: Five ways to get people interested in your new project

For things like kiosks, billboards, and ATMs, owners may wish for no notifications or auto reboots and prefer to reboot during ‘low visibility’ hours. There are four relevant policies for these devices to avoid notifications that would be useless and disruptive to passive users, as well as reboots during typical active hours. Admins have an option to set the update to occur at 3 AM daily, the assumed low visibility hour.  

There are some devices that you might not think of as needing a Windows Update, but even admins of factory devices, rollercoasters, and critical infrastructure also get advice on how to manage and automate update behavior if needed. 

As Carley notes: “Machines on the factory floor, rollercoasters at amusement parks, and other critical infrastructure can all require updates. Given the criticality of these devices, it is pivotal that they stay secure, stay functional, and are not interrupted in the middle of a task. Often these are some of the devices in the final wave when rolling out an update after everything else has been validated.” 

Carley adds: “Note: This is one of the only use cases where compliance deadlines are not recommended given automatic updates are never acceptable in this scenario.”


  • The top mind mapping software: Organize and visualize your ideas
  • These are the Windows Update policies to use for your PCs (and rollercoasters)
  • The best encryption software: Protect your data
  • The leading cloud providers: AWS, Microsoft Azure, and Google Cloud compared





Leave a Reply

Your email address will not be published.