fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Microsoft Now Lets you Enable the Windows App Installer Again, Here’s How

Microsoft Now Lets you Enable the Windows App Installer Again, Here’s How

Microsoft now allows enterprise admins to re-enable the MSIX ms-appinstaller protocol handler disabled after Emotet abused it to deliver malicious Windows App Installer packages.

App Installer (also known as AppX Installer) allows users to install Windows applications directly from a web server using an MSIX package or App Installer file without first downloading the installers to their computer.

Microsoft disabled the ms-appinstaller scheme in response to reports of ongoing Emotet attacks exploiting a zero-day Windows AppX Installer spoofing vulnerability, forcing users to download the app packages to their device before installing them using App Installer.

“We recognize that this feature is critical for many enterprise organizations. We are taking the time to conduct thorough testing to ensure that re-enabling the protocol can be done in a secure manner,” Microsoft Program Manager Dian Hartono said when announcing the protocol’s shutdown.

“We are looking into introducing a Group Policy that would allow IT administrators to re-enable the protocol and control usage of it within their organizations.”

Also Read: March 2022 PDPC Incidents and Undertaking

How to re-enable the ms-appinstaller protocol

According to an update from Hartono, Microsoft has finally managed to get a handle on the issue, and it now allows admins to toggle the protocol handler back on by installing the latest App Installer version (1.17.10751.0) and enabling a group policy.

On systems where the App Installer update cannot be deployed using the Internet-based installer, Microsoft also provides an offline version on the Microsoft Download Center (download link).

The App Installer feature will be re-enabled after downloading and deploying the Desktop App Installer policy and selecting “Enable App Installer ms-appinstaller protocol.”

You can do this through the Group Policy Editor by going to Computer Configuration > Administrative Templates > Windows Components > Desktop App Installer.

“You will need both the latest App Installer app and the Desktop App Installer policy to enabled in order to use the ms-appinstaller protocol for MSIX,” Hartono added.

ms-appinstaller abused to push malware

Emotet started using malicious Windows AppX Installer packages camouflaged as Adobe PDF software for infecting Windows devices in phishing campaigns from early December 2021.

The botnet’s phishing emails used stolen reply-chain emails instructing the recipients to open PDFs related to previous conversations.

However, instead of opening the PDF, the embedded links were redirecting the recipients to that would launch the Windows App Installer and asking them to install a malicious “Adobe PDF Component.”

App Installer prompting to install fake Adobe PDF Component
App Installer prompting to install fake Adobe PDF Component (BleepingComputer)

Although looking just like a legitimate Adobe app, App Installer downloaded and installed a malicious appxbundle hosted on Microsoft Azure after the targets clicked the Install button.

Also Read: CSA Cyber Trust and Cyber Essentials Marks: Why they matter

You can find more details, including the way Emotet abused the Windows App Installer vulnerability, in our previous report regarding the December campaign.

The same spoofing flaw was also exploited to distribute the BazarLoader malware using malicious packages hosted on Microsoft Azure via *.web.core.windows.net URLs.

“We have investigated reports of a spoofing vulnerability in AppX installer that affects Microsoft Windows,” Microsoft explained.

“Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader.”

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us