Microsoft Disables MSIX App Installer Protocol

Subject : Microsoft Disables MSIX App Installer Protocol

Serverity : High (CVE-2021-43890) CVSS v3.0 Score : 7.1

Date : 30-12-2023 (Latest Update)

General Information

  The ms-appinstaller protocol handler (AppX Installer) was introduced to enable users to seamlessly install an application by simply clicking a link on a website. Basically, this protocol handler provides a way for users to install Windows applications directly from a web server using an MSIX package or App Installer file without first downloading the installers to their computer.

News Description

  Since November 2023, an expert team from Microsoft Threat Intelligence has observed activities of Threat Actors such as Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, which are taking advantage of ms-appinstaller (Application installer) to distribute malware. After investigating the incident, Microsoft disabled the protocol handler. ms-appinstaller is the default.

The observed threat actor activity found that they were using ms-appinsataller protocol handler as an access vector for malware that may lead to ransomware distribution. Multiple cybercriminals are also selling a malware kit as a service for distributing signed malicious MSIX application packages using websites accessed through malicious advertisements for legitimate popular software.

Conclusion

  Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats.

Indicators of Compromise (IOCs)

 

The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
061 404 5895 (Ms.Thanyakan)
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)

 

Reference Website

https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/

https://thehackernews.com/2023/12/microsoft-disables-msix-app-installer.html

https://learn.microsoft.com/en-us/windows/msix/app-installer/installing-windows10-apps-web

https://therecord.media/microsoft-disables-app-installation-protocol-abused-by-hackers

https://www.thewindowsclub.com/ms-appinstaller-protocol-has-been-disabled

https://nvd.nist.gov/vuln/detail/CVE-2021-43890

Weekly Interesting CVE

NO.

CVE Name

Published Date

Last Update

Device/Appplication/OS Target

Attack Type

CVSS
Severity Rating

Detail

Solution

Ref

1

CVE-2023-42017

22/12/2023

22/12/2023

IBM Planning Analytics

Unrestricted upload

 

7.8

IBM Planning Analytics Local 2.0 could allow a remote attacker to upload arbitrary files, caused by the improper validation of file extensions. By sending a specially crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious script, which could allow the attacker to execute arbitrary code on the vulnerable system. IBM X-Force ID: 265567.

Upgrade versions

https://vuldb.com/?id.248862

2

CVE-2023-43585

13/12/2023

18/12/2023

Zoom Mobile App / Zoom SDKs

Improper Access Control

7.1

Improper access control in Zoom Mobile App for iOS and Zoom SDKs for iOS before version 5.16.5 may allow an authenticated user to conduct a disclosure of information via network access.

Upgrade versions

https://www.zoom.com/en/trust/security-bulletin/ZSB-23058/
and
https://nvd.nist.gov/vuln/detail/CVE-2023-43585

3

CVE-2023–7024

20/12/2023

20/12/2023

Google Web Browser version
90.0.4430.212-1
116.0.5845.180-1
119.0.6045.199-1

Heap-based overflow

6

The high-severity zero-day vulnerability is due to a heap buffer overflow weakness in the open-source WebRTC framework many other web browsers, such as Mozilla Firefox, Safari, and Microsoft Edge, to provide Real-Time Communications (RTC) capabilities (e.g., video streaming, file sharing, and VoIP telephony) via JavaScript APIs.

upgrade to Chrome version 120.0.6099.129/130 for Windows and 120.0.6099.129 for macOS and Linux

https://www.bleepingcomputer.com/news/security/google-fixes-8th-chrome-zero-day-exploited-in-attacks-this-year/

4

CVE-2023-36033

21/12/2023

21/12/2023

windows 10 1809, 21h2, 22h2
windows 11 21h2, 22h2, 23h2
windows server 2016, 2019, 2022

Local Privilege Escalation

7.8

An attacker can trigger this vulnerability to elevate privileges through the Windows Desktop Manager (DWM). An attacker can exploit the flaw to gain SYSTEM privileges and chaining this issue with a remote code execution bug can compromise a system.

Update Patch

https://securityaffairs.com/154175/security/microsoft-patch-tuesday-security-updates-nov-2023.html

5

CVE-2023-36397

21/12/2023

21/12/2023

Windows 10 Version 160, 1809, 21H2, 22H2
Windows 11 Version 22H2, 23H2, 21H2
Windows Server 2008, 2012, 2016, 2019, 2022

Remote Code Execution

8.9

Windows Pragmatic General Multicast (PGM) Remote Code Execution issue tracked as CVE-2023-36397. A remote, unauthenticated attacker can exploit this flaw to execute code with elevated privileges without user interaction.

Update Patch

https://nvd.nist.gov/vuln/detail/CVE-2023-6707

 

Malware News or Campaign IOC/IOA

No

Campaign Name

Detection in Thailand​
(/1m Divs

Detection Date

Attack

Type

Severity

 

Description

 

Solution

1

Undocumented 8220 Gang Activities Exposed​

32​

 18/12/2023​

Downloader,​

Tool, Remote Access Trojan (RAT),​

Vulnerability​

Low​

The 8220 gang, known for widespread deployment of evolving malware tactics, has been detected engaging in previously undocumented activity. This threat actor, believed to be of Chinese origin, targets both Windows and Linux web servers with cryptojacking malware. Exploiting various vulnerabilities, including CVE-2021-44228, CVE-2017-3506, and CVE-2020-14883, the 8220 gang uses different methods such as cURL, wget, lwp-download, python urllib, and a custom base64-encoded bash function to download second-phase files on Linux hosts. On Windows, a simple PowerShell WebClient command executes a downloaded PowerShell script. The group also employs a variation where Java code is executed without relying on an externally hosted XML file. These attacks have been observed across sectors such as healthcare, telecommunications, and financial services in the United States, South Africa, Spain, Colombia, and Mexico.​

1.Update your Antivirus to last versions.​

2.Update Oracle WebLogic to Version 14.1.1​

3.Create Policy Firewall to Block IoCs Network following Ref.1​

Ref. https://www.imperva.com/blog/imperva-detects-undocumented-8220-gang-activities/

04 January 2024

Viewed 165 time

Engine by shopup.com