Tag Archive for: app’

Microsoft Disabled App Installer Abused by Hackers

/in


Threat actors, particularly those with financial motivations, have been observed spreading malware via the ms-appinstaller URI scheme (App Installer). As a result of this activity, Microsoft has disabled the ms-appinstaller protocol handler by default.

“The observed threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an access vector for malware that may lead to ransomware distribution,” the Microsoft Threat Intelligence team said.

The ms-appinstaller protocol handler vector is probably the one that threat actors have selected since it can bypass security measures like Microsoft Defender SmartScreen and built-in browser alerts for downloading executable file types, which are intended to protect users from malware.

Microsoft Threat Intelligence has identified App Installer as a point of entry for human-operated ransomware activities by several actors, including Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674.

Document

Free Webinar

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

Spoofing legitimate applications, tricking users into installing malicious MSIX packages that look like legitimate applications, and avoiding detections on the initial installation files are some of the activities that have been noticed.

Financially Motivated Threat Actors Abusing App Installer

Microsoft discovered that Storm-0569 was using search engine optimization (SEO) poisoning to spread BATLOADER by impersonating websites that offered legitimate downloads, including AnyDesk, Zoom, Tableau, and TeamViewer. 

When a user searches on Bing or Google for a legitimate software application, they could see links to malicious installers using the ms-app installer protocol on a landing page that mimics the landing pages of the actual software provider. A prominent social engineering technique involves spoofing and imitating…

Source…

‘Financially Motivated Threat Actors’ Distributing Malware via App Installer

/in


Microsoft is warning that bad actors, including those financially motivated, are using App Installer to distribute malware.

Microsoft Threat Intelligence says bad actors have been using the ms-appinstaller URI scheme (App Installer) to distribute malware since at least mid-November 2023. Microsoft has disabled the protocol handler in an effort to combat its abuse.

The observed threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an access vector for malware that may lead to ransomware distribution. Multiple cybercriminals are also selling a malware kit as a service that abuses the MSIX file format and ms-appinstaller protocol handler. These threat actors distribute signed malicious MSIX application packages using websites accessed through malicious advertisements for legitimate popular software. A second vector of phishing through Microsoft Teams is also in use by Storm-1674.

Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats.

The attacks are especially dangerous for Teams users, since the bad actors are spoofing legitimate Microsoft pages.

Since the beginning of December 2023, Microsoft identified instances where Storm-1674 delivered fake landing pages through messages delivered using Teams. The landing pages spoof Microsoft services like OneDrive and SharePoint, as well as other companies. Tenants created by the threat actor are used to create meetings and send chat messages to potential victims using the meeting’s chat functionality.

More information can be found here, including detailed analysis of the attack. In the meantime, Microsoft says organizations should educate Teams users to be able to identify and protect themselves from this exploit.

Educate Microsoft Teams users to verify ‘External’ tagging on communication attempts from external entities, be cautious about what they share, and never share their account information or authorize sign-in requests over chat.

Source…

Nothing’s iMessage app wasn’t its only security lapse (Update: Statement)

/in


Nothing Phone 2 Essential Glyph Light On

C. Scott Brown / Android Authority

TL;DR

  • Nothing’s CMF Watch app encrypted emails and passwords suboptimally, allegedly allowing for decryption using the same decryption keys.
  • The issue was partially fixed, as the encryption method of the passwords was updated, but not that of emails.
  • Nothing claims it is currently working to resolve the issues.

Update, December 4, 2023 (12:45 PM ET): Nothing has now provided a comment to Android Authority about the issues. A spokesperson for the company states:

CMF takes privacy issues very seriously and the team is investigating security concerns regarding the Watch app. We rectified initial credential concerns earlier in the year and are currently working to resolve the issues raised. As soon as this next fix is complete, we will roll out an OTA update to all CMF Watch Pro users. Security reports can now be more easily submitted via https://intl.cmf.tech/pages/vulnerability-report

Original article, December 4, 2023 (3:29 AM ET): Nothing has had some good success with the Nothing Phone 2, considering the novelty of the phone and the nascent brand image. To win over some of the iPhone audience, Nothing partnered with Sunbird to launch an iMessage-for-Android app called Nothing Chats. The app lasted about a day in the wild before being pulled down due to glaring security oversights. But there seem to be more skeletons in Nothing’s closet, as two more vulnerabilities have emerged.

Android developer and reverse engineer Dylan Roussel posted on X that he found two vulnerabilities centered around Nothing. The first was found in September in the CMF Watch app, which was built in partnership with a company called Jingxun. The CMF Watch app encrypted email usernames and passwords, but the encryption method allegedly left the door open for decrypting the same with the same decryption keys, defeating the purpose of encryption.

Nothing/Jingxun fixed this vulnerability, but curiously, only for the password. You could still allegedly decrypt the email that is used as the username.

The second vulnerability has not been publicly detailed, but it relates to Nothing’s internal data. Nothing was informed of the same in August, but it hasn’t been fixed…

Source…

Nothing’s iMessage app was a security catastrophe, taken down in 24 hours

/in


The Nothing Phone 2 all lit up.
Enlarge / The Nothing Phone 2 all lit up.

Ron Amadeo

It turns out companies that stonewall the media’s security questions actually aren’t good at security. Last Tuesday, Nothing Chats—a chat app from Android manufacturer “Nothing” and upstart app company Sunbird—brazenly claimed to be able to hack into Apple’s iMessage protocol and give Android users blue bubbles. We immediately flagged Sunbird as a company that had been making empty promises for almost a year and seemed negligent about security. The app launched Friday anyway and was immediately ripped to shreds by the Internet for many security issues. It didn’t last 24 hours; Nothing pulled the app from the Play Store Saturday morning. The Sunbird app, which Nothing Chat is just a reskin of, has also been put “on pause.”

The initial sales pitch for this app—that it would log you into iMessage on Android if you handed over your Apple username and password—was a huge security red flag that meant Sunbird would need an ultra-secure infrastructure to avoid disaster. Instead, the app turned out to be about as unsecure as we expected. Here’s Nothing’s statement:

Nothing Chat's shut down post.

Nothing Chat’s shut down post.

How bad are the security issues? Both 9to5Google and Text.com (which is owned by Automattic, the company behind WordPress) uncovered shockingly bad security practices. Not only was the app not end-to-end encrypted, as claimed numerous times by Nothing and Sunbird, but Sunbird actually logged and stored messages in plain text on both the error reporting software Sentry and in a Firebase store. Authentication tokens were sent over unencrypted HTTP so this token could be intercepted and used to read your messages.

The Text.com investigation uncovered a pile of vulnerabilities. The blog says, “When a message or an attachment is received by a user, they are unencrypted on the server side until the client sends a request acknowledging, and deleting them from the database. This means that an attacker subscribed to the Firebase…

Source…