December 28, 2023 at 02:05PM
Microsoft disabled the MSIX ms-appinstaller protocol handler due to multiple financially motivated threat groups exploiting it to infect Windows users with malware. The attackers used the CVE-2021-43890 vulnerability to bypass security measures and distribute malware. Microsoft recommends installing the patched App Installer version 1.21.3421.0 or later and advised disabling the protocol when immediate deployment is not possible.
Based on the meeting notes, the key takeaways are:
1. Microsoft has disabled the MSIX ms-appinstaller protocol handler due to multiple financially motivated threat groups abusing it to infect Windows users with malware.
2. The attackers exploited the CVE-2021-43890 Windows AppX Installer spoofing vulnerability to circumvent security measures, leading to the distribution of ransomware and other malware.
3. Threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and others, utilize the ms-appinstaller URI scheme to distribute malware.
4. The Sangria Tempest (aka FIN7) financially motivated hacking group has been linked to various ransomware operations and attacks targeting PaperCut printing servers with Clop ransomware.
5. Emotet and BazarLoader malware were also involved in exploiting the AppX Installer spoofing vulnerability to infect Windows systems.
6. Microsoft previously disabled the ms-appinstaller protocol handler in February 2022 to counter Emotet’s attacks and has now recommended installing the patched App Installer version 1.21.3421.0 or later to block exploitation attempts.
7. Admins who cannot immediately deploy the latest App Installer version are advised to disable the protocol by setting the Group Policy EnableMSAppInstallerProtocol to Disabled.
These are the summarized takeaways from the provided meeting notes.