Scheduled Tasks, AnyDesk, and VPN Compromise 

Between September 18-25, 2024, Blackpoint’s Security Operations Center (SOC) responded to 404 total incidents across on-premises, Microsoft 365, and Google Workspace protected environments. These incidents involved confirmed or likely threat actor use of:

• Scheduled tasks to conduct SSH port forwarding and execute encoded PowerShell.
• AnyDesk to maintain persistence.
• VPN compromise for initial access and Advanced Port Scanner for discovery.

In this blog, we’ll dive into the details of three select incidents, why they matter for our partners, and possible mitigations using your existing tech stack alongside Blackpoint Cyber’s managed services.

Topline Takeaways

• Industry target: Technology
• Attacker methods:
  • Multiple scheduled tasks: “Apple Sync,” “Google Disk Sync,” “Google Photo Sync,” “Security Update”
  • SSH port forwarding
  • Encoded PowerShell
• Recommended mitigations:
  • Employ least privilege access control.
  • Ensure the operating system is configured securely.
  • Regularly audit both the environment and endpoints.

Incident Timeline for 2024-09-18

Blackpoint’s MDR technology alerted our Active SOC to encoded PowerShell and SSH port forwarding on the host of a technology partner. Initial investigation tied these alerts to multiple scheduled tasks running on the host, including “Apple Sync,” “Google Disk Sync,” “Google Photo Sync,” and “Security Update.”

Further analysis revealed these tasks installed, started, and disabled OpenSSH, enabling SSH port forwarding. Blackpoint’s SOC analysts isolated the device, deleted the scheduled tasks, and found no signs of lateral movement or additional malicious activity.

More About Malicious Use of Scheduled Tasks

Scheduled tasks allow administrators to automate maintenance but have been historically exploited by threat actors to maintain persistence. These tasks blend in with normal traffic and allow attackers to execute malicious code undetected.

In this case, the “Apple Sync” task was tied to SSH port forwarding, while the “Google Disk Sync” and “Google Photo Sync” tasks executed encoded PowerShell that called out to a C2 domain linked to Cobalt Strike campaigns. “Security Update” allowed these tasks to run by installing OpenSSH.

APG Threat Analysis for Scheduled Tasks

Blackpoint’s Adversary Pursuit Group (APG) predicts the continued use of scheduled tasks by threat actors for persistence in 2024, as observed in similar incidents involving our partners in Industrials on August 21, 2024, and Technology on June 9, 2024. External reports further reinforce this trend, with threat actors like Fox Kitten leveraging scheduled tasks for ransomware attacks.

Mitigations

• Least Privilege Access Control: Limit user access to the necessary resources to reduce lateral movement.
• Audit Environment: Regularly review scheduled tasks and system configurations for anomalies.
• Ensure OS Configurations: Force tasks to run under authenticated user accounts rather than the system to avoid privilege escalation.

Topline Takeaways

• Industry target: Industrials
• Attacker methods:
  • Discovery techniques (whoami, ipconfig)
  • AnyDesk
  • Batch script (n.bat)
• Recommended mitigations:
  • Provide a dedicated software center.
  • Ensure default credentials are changed.

Incident Timeline for 2024-09-14 and 2024-09-19

On August 14, 2024, Blackpoint’s MDR technology detected suspicious reconnaissance commands on an industrials partner’s SQL server, revealing the server was vulnerable to SQL injection. Five days later, further alerts indicated that a batch script (n.bat) was used to store cleartext credentials, create new user accounts, and install AnyDesk for persistence. The threat actor called out to C2 servers in Hungary and the Netherlands.

Blackpoint’s SOC isolated the server, identified the abuse of SQL admin credentials, and recommended stronger password policies.

More About AnyDesk

Used by many Managed Service Providers (MSPs) for remote assistance, AnyDesk has become a popular tool for threat actors seeking to maintain persistence. In this case, the attacker installed AnyDesk to keep control of the compromised server undetected.

APG Threat Analysis for AnyDesk

Threat actors will almost certainly continue using remote desktop software like AnyDesk for persistence into 2024. Incidents involving Healthcare partners in August 2024 and Industrials in April 2024 underscore this tactic’s prevalence.

Mitigations

• Dedicated Software Center: Ensure employees only download software from monitored, approved sources.
• Rotate Default Credentials: Change default credentials immediately upon software installation to prevent easy access by attackers.
• SQL Security: Regularly audit SQL server configurations and enforce strong password policies.

Topline Takeaways

• Industry target: Technology
• Attacker methods:
  • Remote Desktop Protocol (RDP)
  • Advanced Port Scanner
  • VPN Compromise
• Recommended mitigations:
  • Enforce multi-factor authentication (MFA) on all user accounts.
  • Implement application controls.
  • Use strong, unique passwords.

Incident Timeline for 2024-09-23

Blackpoint’s MDR technology alerted to suspicious RDP access and Advanced Port Scanner usage on a technology partner’s network. The scans, originating from a compromised VPN, targeted multiple hosts, and the outputs were hidden in directories commonly used by threat actors.

More About VPN Compromise and Advanced Port Scanner

VPNs, while crucial for secure remote access, are frequently targeted for initial access. In this case, the compromised VPN allowed the threat actor to conduct network enumeration using Advanced Port Scanner. This tool enables attackers to identify defenses, running services, and vulnerable systems for exploitation.

APG Threat Analysis for VPN Compromise and Advanced Port Scanner

APG predicts continued targeting of VPNs for initial access in 2024, with Advanced Port Scanner playing a key role in discovery. Reports from Zscaler and Sophos highlight growing concerns around VPN vulnerabilities, particularly in ransomware operations like Qilin.

Mitigations

• MFA on All Accounts: Enforcing MFA can prevent attackers from exploiting compromised credentials.
• Application Controls: Use allowlists and blocklists to prevent unauthorized software, such as Advanced Port Scanner, from running.
• Strong Password Policies: Implement unique, strong passwords and rotate them regularly, especially for VPN and RDP access.

These incidents underscore the evolving tactics of threat actors and highlight the importance of layered defenses. By leveraging Blackpoint’s MDR technology and following these mitigation strategies, you can bolster your organization’s defenses against these types of attacks. Reach out to Blackpoint’s SOC team for tailored recommendations on how to enhance your cybersecurity posture.