Investing

Microsoft Takes Action: Why Is it Disabling Key Protocol?

Microsoft Takes Swift Action: Why Is it Disabling Key Protocol?

In response to the escalating threat of malware attacks, the Microsoft Project team has swiftly taken action by disabling the widely abused ms-appinstaller protocol handler. This strategic move is part of Microsoft’s efforts to utilize its cyber threat intelligence tools to counter the alarming exploitation of this protocol by multiple threat actors intent on distributing malware. Ransomware attacks are looming as a significant risk.

Unveiling the Menace

The Microsoft Threat Intelligence team, leveraging advanced cyber threat intelligence tools, uncovered the exploitation of the ms-appinstaller protocol handler as an access vector for malware distribution. As a result, the company decided to disable the protocol handler by default. The company aims to protect users from potential dangers associated with malicious activities.

Malware Microsoft Project: Kit for Sale

Compounding the threat, cybercriminals are actively selling a malware kit as a service, leveraging the MSIX file format and the ms-appinstaller protocol handler. To address this emerging threat, Microsoft implemented changes in the App Installer version 1.21.3421.0 and higher, a testament to the value of effective threat intelligence feeds.

Method of Attack

The attacks orchestrated by at least four financially motivated hacking groups involve the deployment of signed malicious MSIX application packages. The scammers deceptively distribute these packages through trusted channels like Microsoft Teams. They also disguise them as advertisements for legitimate software on search engines like Google.

Diverse Threat Actors in Action

Several hacking groups have been identified exploiting the App Installer service since mid-November 2023. Each employs distinct tactics and underscores the need for robust threat intelligence feeds:

Storm-0569: Uses SEO poisoning with spoofed sites to propagate BATLOADER, deploying Cobalt Strike and Black Basta ransomware.

Storm-1113: Distributes EugenLoader disguised as Zoom, serving as an entry point for various stealer malware and remote access trojans.

Sangria Tempest (Carbon Spider and FIN7): Leverages Storm-1113’s EugenLoader to drop Carbanak and distribute POWERTRASH through Google ads.

Storm-1674: Sends fake landing pages through Teams messages. It also encourages users to download malicious MSIX installers containing SectopRAT or DarkGate payloads.

Microsoft: Persistent Threats and Past Actions

This isn’t the first time Microsoft has disabled the MSIX ms-appinstaller protocol handler. In February 2022, the company has also taken a similar step to thwart Emotet, TrickBot, and Bazaloader delivery. The protocol’s attractiveness to threat actors lies in its ability to circumvent security mechanisms. However, that poses a significant challenge for user safety.

As Microsoft lists its past actions and remains vigilant in combating evolving cybersecurity threats, it urges users to stay informed and employ best practices to enhance their digital security. This includes regular updates, exercising caution with downloads, and staying informed about emerging threats in the ever-evolving landscape of online security, highlighting the importance of cyber threat intelligence tools.

The post Microsoft Takes Action: Why Is it Disabling Key Protocol? appeared first on FinanceBrokerage.

You May Also Like

Editor's Pick

In this edition of StockCharts TV‘s The Final Bar, Dave shows how breadth conditions have evolved so far in August, highlights the renewed strength in the...

Economy

Boeing’s crew spacecraft Starliner will stay docked with the International Space Station into August, NASA confirmed on Thursday, as the mission remains on hold...

Stock

S&P 500 pared back its intraday gain on Wednesday following a Bloomberg report that Royal Group has built a multi-billion-dollar short position in U.S....

Economy

A U.S. judge has ruled that former Bed Bath & Beyond investor Ryan Cohen can be sued by investors over a tweet he posted featuring an...

Disclaimer: Richpeoplenetworks.com, its managers, its employees, and assigns (collectively “The Company”) do not make any guarantee or warranty about what is advertised above. Information provided by this website is for research purposes only and should not be considered as personalized financial advice. The Company is not affiliated with, nor does it receive compensation from, any specific security. The Company is not registered or licensed by any governing body in any jurisdiction to give investing advice or provide investment recommendation. Any investments recommended here should be taken into consideration only after consulting with your investment advisor and after reviewing the prospectus or financial statements of the company.

Copyright © 2024 Richpeoplenetworks.com

Exit mobile version