In a decisive move to counter widespread malware distribution, Microsoft has disabled a core app installation protocol exploited by hackers. The move comes after reports surfaced of financially motivated hacking groups using the ms-appinstaller protocol to bypass security measures and silently plant malware on Windows machines.
Key Highlights:
- Vulnerability: Attackers leveraged the ms-appinstaller protocol to bypass security measures and install malware.
- Target Groups: Financially motivated hacking groups, including Storm-0569 and Sangria Tempest, are known to have exploited this vulnerability.
- Precaution: Microsoft has disabled the ms-appinstaller protocol handler by default for all Windows users.
- Patch Recommendation: Update to App Installer version 1.21.3421.0 or later for additional protection.
Exploiting the Flaw:
The vulnerability resided in the way the ms-appinstaller protocol handled malicious MSIX application packages. These packages, designed for secure app deployment, were being weaponized by attackers to deliver malware disguised as legitimate software. This allowed them to evade detection by security features like Microsoft Defender SmartScreen and built-in browser warnings.
Threat Actors Identified:
Investigations by Microsoft Threat Intelligence Team revealed the involvement of known hacking groups like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674 in these attacks. Sangria Tempest, notorious for its involvement in ransomware operations like BlackMatter and DarkSide, has been identified as a key player in this exploit.
Microsoft Takes Action:
Recognizing the potential for widespread harm, Microsoft swiftly responded by disabling the ms-appinstaller protocol handler by default on all Windows devices. This effectively cuts off the attack vector utilized by hackers and protects unsuspecting users from falling victim to malware masquerading as legitimate apps.
Patch and Stay Safe:
While disabling the protocol offers immediate protection, Microsoft recommends updating to App Installer version 1.21.3421.0 or later. This patched version further strengthens defenses against potential exploits and vulnerabilities related to the ms-appinstaller protocol.
Prior Precedents:
This isn’t the first time Microsoft has taken such drastic measures. In February 2022, the company disabled the same protocol to combat malware threats posed by Emotet, TrickBot, and Bazaloader. The repeated vulnerability highlights the need for constant vigilance and proactive security updates from both users and software developers.
This incident underscores the ever-evolving landscape of cyber threats and the importance of staying informed and vigilant. By promptly disabling the exploited protocol and urging users to update their software, Microsoft has taken a necessary step to protect its users from potentially devastating malware attacks. However, the responsibility for remaining secure ultimately lies with both users and developers, who must prioritize cybersecurity awareness and proactive patch updates.