Connect with us

Hi, what are you looking for?

Business

Phishing campaign exploits vulnerability in Windows Search

A new phishing campaign uses HTML attachments that abuse the Windows search protocol.

China-based hacking group 'Flax Typhoon' has targeted Taiwan's government agencies, according to Microsoft
China-based hacking group 'Flax Typhoon' has targeted Taiwan's government agencies, according to Microsoft - Copyright AFP/File GERARD JULIEN
China-based hacking group 'Flax Typhoon' has targeted Taiwan's government agencies, according to Microsoft - Copyright AFP/File GERARD JULIEN

A new phishing campaign exploits a vulnerability in the Windows Search protocol. These emails use HTML attachments to download malicious files from remote servers, potentially putting your personal information, files, and even your entire computer at risk.

How worried should users be about this threat and are there any actions that can be taken to help to mitigate the risk? Jason Kent, Hacker in Residence at Cequence explains to Digital Journal the importance of proactive vulnerability management and how to prevent such attacks.

Kent begins by assessing the nature of the cyber-threat: “Just like most of these types of vulnerabilities, discovering a service that can be sent off rogue is difficult to catch until it is way too late.”

Philosophically, Kent muses: “Stopping all services from reaching out to the Internet would break many functions, but understanding which services are reaching out and what resources they require is paramount.”

This leads to the current threat and associated risk: “As this was discovered, it was realized that yet another function can grab information from the Internet but doesn’t have restrictions on what those pieces of information can be used for. In this case, they can trigger executables on the victim machine.”

So how do we prevent this?

According to Kent: “Well, outbound proxy calls that block this sort of thing would be ideal, but as well all know, work-from-home environments and the inability to keep traffic flowing to a centralized proxy makes that difficult.”

Kent continues with the solution: “The suggested remediation is to disable search functionality within each host. This is done by removing the registry keys for two search functionalities.”

This is:

reg delete HKEY_CLASSES_ROOT\search /f

reg delete HKEY_CLASSES_ROOT\search-ms /f

Kent cautions: “Before anyone tries this, they need to make sure it doesn’t break anything important. It’s also going to be a problematic thing to push out to remote employees.”

His final recommendation is: “In my honest opinion, setting your email server to embargo all emails with HTML attached might be bad, but we can see how dangerous it is to utilize HTML in emails. This is why it’s crucial to analyze all email attachments, not just text files.”

Avatar photo
Written By

Dr. Tim Sandle is Digital Journal's Editor-at-Large for science news. Tim specializes in science, technology, environmental, business, and health journalism. He is additionally a practising microbiologist; and an author. He is also interested in history, politics and current affairs.

You may also like:

Tech & Science

This isn’t “artificial intelligence” yet. It’s “artificial idiocy”. It’s fixable.

Entertainment

Academy Award winner Colin Firth ("The King's Speech") chatted about starring in the new limited series "Lockerbie: A Search for Truth," which will premiere...

Business

“Quantum technologies are the next revolution in technology.”

Business

Australia wants big tech companies to compensate local publishers for sharing news links that drive traffic to their platforms - Copyright AFP/File SEBASTIEN BOZONAustralia...