There are several reasons for this, and we will explore them further below. It is worth clarifying that it is normal for such a message to appear on a corporate device. But this is not all right if you see this on a personal computer. Today, I’ve gathered the most effective ways to fix this issue.

“Virus and Threat Protection Page Not Available” – What Does It Mean?

The message “Virus and Threat Protection Page Not Available” indicates trouble accessing Windows Security features. This means that, for some reason, the application cannot display the interface requested by the user. The virus and threat protection page comprehensively overviews your device’s security status. It displays relevant information about the antivirus software you are using, your device’s firewall status, and other enabled security features.

Windows Security is a built-in antivirus software developed by Microsoft. Initially, it was designed to protect against simple security threats like malware or viruses. However, now it’s an all-in-one tool that includes complex defense against phishing and other cyber attacks. It includes Virus and threat Protection, Account Protection, Firewall and network Protection, App and Browser Control, Device Security, Device Performance and health, and Family Options. Well, this doesn’t always work out properly, and now I will tell you why.

Why Is The Virus And Threat Protection Page Not Available?

Usually, to access Windows Security, you click on the Windows Security icon from the taskbar, or open the menu from the settings. If everything works correctly, you can access the menu with no problems. However, if Windows Security is unavailable, an error message will appear saying “Page not available”. Here are a few reasons for this to happen.

Specific OS edition.

Windows Enterprise or LTSC editions can have security features disabled by default. You can see the edition of your Windows copy by going to Settings → System → About, and checking the Windows specifications.

Normally, it is possible to change the security settings back to normal. I will show how to do this later in this post.

Improper OS settings after the reset

After resetting your OS, the virus and threat protection settings may not be configured correctly. Reasons for this are particularly hard to trace, but figuring that out is in fact just a waste of time. You can solve the issue in just a few clicks in this case.

Windows ISO obtained from unofficial sources

Obtaining a Windows image from questionable or pirated sources can result in missing or disabling essential security features. This is because the authors of such builds often try to make them as easy as possible by disabling “unnecessary” features. It is noteworthy that the antivirus function is often the first to be disabled.

Incompatibility with third-party antivirus

Sometimes, third-party antivirus tools may not be compatible with Windows Security. This is because two or more antimalware apps try to control or modify the same system resources simultaneously. This can lead to conflicts, malfunctions, or even complete functionality disabling.

Malware activity

Malware compromising system security settings could cause the “virus and threat protection page not available” notification. It can cause severe damage to your system, including data loss and theft. Since most average users only use the built-in Windows protection, any malware will obviously try to neutralize it first.

How to Fix the Virus and Threat Protection Page Not Available Error?

Despite having quite a few possible reasons to happen, Virus and Threat Protection Page Not Available error is rather easy to fix. All the troubleshooting boils down to understanding why it happened – I’ve named the reasons above. Now, let’s switch to actual troubleshooting.

1. Uninstall third-party security software

Today, most third-party antivirus solutions work well when paired with Microsoft Defender. However, some applications still require disabling the built-in Microsoft Defender to work correctly. If you have a third-party antivirus installed, try uninstalling it.

2. Update Your Windows

Cybersecurity threats evolve constantly, and software vulnerabilities can be exploited by malicious actors to gain unauthorized access or cause harm to your system. Windows updates can resolve existing security problems and ensure your computer runs optimally. It often includes patches and fixes for known security vulnerabilities.

Open Settings from Start and select Update & Security and click Check for updates under Windows Update.

This may take some time, especially if you’ve ignored the latest system updates for some time. Nonetheless, it is worth waiting, as the chances of this solving the issue are high.

3. Repair and Restart Windows Security

Despite Windows being a pretty stable operating system, sometimes uninstalling third-party software can corrupt the Windows Defender files. So, you can try resetting the Windows Security app, which may help run it back (for Windows 11 only).

First, click on the search icon or box on your taskbar. Then, search for “Windows Security.”

Here, select the Windows Security App and click the “App settings” option on the right panel.

Click on the “Terminate” button. After that, restart your computer to check if the error message is resolved.

If the issue persists, follow the same steps to access the Windows Security settings interface. Then, click on the “Reset” button to reset Windows Security.

Restart your computer again to ensure all the changes are applied successfully.

These were relatively simple ways of solving the problem that should have helped. However, if the issue of Virus and Threat Protection is unavailable persists, go on to more sophisticated solutions I’ve gathered below.

4. Run SFC and DISM

SFC and DISM are command-line tools that detect and repair system corruptions in Windows. If you can’t find Virus and threat protection on Windows 10/11 due to a system bug or corrupted image, use either tool to fix the issue. To repair your computer, follow these instructions:

Click on the Start menu and search for “Command Prompt”.

Right-click on “Command Prompt” and select “Run as administrator”.

To repair your system files using SFC, enter or paste the following into the Command Prompt window and press Enter: “sfc /scannow“.

To repair your system files using DISM, enter or paste the command into the Command Prompt window and press Enter: “DISM.exe /Online /Cleanup-image /Restorehealth“.

5. Disable UI Lockdown

Sometimes, the reason for Virus and Threat Protection Page Not Available issue is a disabled Windows Defender interface. This happens due to the activation of a so-called UI Lockdown. To fix this, run PowerShell as administrator and run the “Set-MpPreference -UILockdown 0” command. This will enable UI, fixing the Virus and Threat Protection Page Not Available issue.

6. Change the registry keys through Regedit

If the issue persists, you can manually add a few values using Regedit. To begin, open Regedit by pressing Win+R and typing “regedit” in the Run dialog box, then press Enter.

Once you are in Regedit, navigate to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender. Right-click the empty area and select New → DWORD (32-bit) value.

Next, give the value a name: DisableAntispyware. Similarly, create another value with the name DisableRealtimeMonitoring. Leave the default value of 0 for both values.

Close the Registry Editor and restart your system. After restarting, check if Microsoft Defender is available with its apps.

7. Using Local Group Policy

One more option is adjusting the Local Group Policy, responsible for Microsoft Defender. This may be the result of a malware activity, as well as the effect of an antivirus software conflicting with the Defender. Fixing this requires entering the Group Policies menu.

Press the Windows key + R to open the Run dialog box and type or paste this: gpedit.msc. Go to Computer Configuration → Administrative Templates → Windows Components.

Open Windows Security and navigate to the Virus and Threat Protection option.

Double-click the Hide the virus and threat protection area and select Not Configured.

Restart your PC to apply the new settings and try running the feature.

Install Compatible Anti-malware

As I said at the beginning, this could result from malware activity. Most malware targets the built-in Windows defenses, which explains a lot. In such cases, I recommend using a third-party solution. However, it is equally important that the third-party solution works well with the built-in solution.

That’s why I recommend GridinSoft Anti-Malware. It works perfectly with Microsoft Defender and does not burden the system. After installation, run a full scan, which will completely clean the system.

The post Virus and Threat Protection Page Not Available appeared first on Gridinsoft Blog.

Win32/InstallCore may not look like a serious threat, but the effects of its activity are not pleasant either. Unwanted programs, adware, junk apps – this PUA is not picky about things it spreads. It is a serious threat to users that requires attention and removal.

Protect your computer against unwanted software! GridinSoft Anti-Malware will detect the most dodgy and tricky of them before they can mischief you. Get yourself reliable protection

What is PUADlmanager Win32/InstallCore?

PUADlmanager Win32/InstallCore is the name for the detection of a program that packages additional software with the main one. It is not a stand-alone program, but rather an application on top of the program installer. Once you launch such infused installer, InstallCore is up, too, ready to perform its dirty deeds.

The prefix “PUADlmanager” (PUA Downloading Manager) says clearly about this property. The thing InstallCore tries to accomplish is downloading and installing things in the background, without user’s permission. This way, ones who spread the program try to monetize their effort. Typically, those apps are unwanted programs of some sort and adware.

Things like Win32/InstallCore are often spread embedded into pirated software. Some of the freeware program may contain this, too, particularly ones from platforms like Softonic, Download.com and FileHippo.

Is InstallCore a False Positive?

As far as I recon, false positives of PUADlmanager Win32/InstallCore can occur in several cases. One of the users on the Information Security Stack Exchange forum noted that it can be related to security signature updates or in case of installing third-party software. This is not always a threat, but rather belongs to the “gray” category, as it is not as dangerous as malware.

Another example of a false positive was discussed on the JDownloader Community forum, where Microsoft Defender mistakenly detected malware in the JDownloader.exe file. In this case, the JDownloader developers reported the false positive and asked users to report it as well, confirming that JDownloader does not contain malware. There was also a discussion on the Microsoft forum about a false positive on the Five Nights at Freddy’s game installer.

Antivirus programs regularly update their malware signature databases. Sometimes, new signatures can mistakenly classify safe files or programs as malicious. However, users may not pay attention to additional programs that are offered for installation along with the main software. If such additional software falls into the PUA/PUP category, Microsoft Defender will detect it as such.

How does PUADlmanager Win32/InstallCore affect my computer?

As I wrote above, the danger of PUADlmanager is that it downloads and installs numerous unwanted programs without users’ concent and knowledge. Most of them may have unpredictable consequences for the computer and user data. To test the thing, I’ve found several examples of apps that Microsoft Defender detected as Win32/InstallCore.

In one instance, the app had no real functionality, being just a shell with an attractive interface. It was advertised as software to help download files, particularly from torrents, but didn’t really provide any real features. This became clear when I discovered that despite promises of advanced features for an additional fee, the program actually provided no utility and could perform suspicious activities on my PC.

However, uselessness is not the only issue here. As soon as I pressed the “Install” button, numerous other programs started to appear. Driver updaters, “free” VPNs, system tuners – plenty of them. Their sheer volume made the virtual machine I was running the test on exceptionally slow.

One more thing that was definitely an effect of InstallCore activity is advertisements flooding the websites. It looks like aside from the unwanted programs, this PUA also brought an adware of some sort. Irrelevant advertisements both in the browser and system tray kept popping up until the malware removal.

On top of that, the browser started opening the pages which demand installing some questionable browser plugins. Among other things, I’ve noticed a well-known plugin, called Dragon Angel. This thing works as a browser hijacker, and is usually promoted in this exact way. Though, it may be a lesser evil here, as browser plugins can also work as infostealers and crypto hijackers.

Overall, PUADlmanager Win32/InstallCore is not a severe threat by any measures. But the effects of its activity are nowhere near pleasant, too: they make the system hard to use, distract you with ads, and potentially compromise the computer for further infections. This should be removed as soon as possible.

How to remove PUADlmanager Win32/InstallCore from PC?

To prevent PUADlmanager Win32/InstallCore, it is recommended to use a reliable antivirus software capable of detecting and removing all malware components. GridinSoft Anti-Malware offers an effective solution to detect and eliminate this kind of threats, providing comprehensive system protection.

Manual removal of InstallCore and related unwanted programs is possible, but it requires some knowledge and can be a time-consuming process. To prevent infection, it is important to avoid downloading programs from unverified sources, do not open suspicious email attachments.

The post PUADlmanager Win32/InstallCore appeared first on Gridinsoft Blog.

Backdoor in XZ Compromised Numerous Linux Systems

The story around the backdoor in XZ data compression tool is nothing short of marvelous, from both ends, and may probably be screened in future. A guy under the nickname Jia Tan was making his way to the status of project administrator since 2021. Typically for any tech savvy open-source project user, he started offering his fixes for bugs and new functions. Allegedly by creating a huge number of bug reports, the guy forced the manager to seek for an aide, with Jia being the best candidate at that moment.

This long road was needed to hide a tiny, deeply concealed backdoor (CVE-2024-3094) that is not even available from the public GitHub repository. The catch actually hides within the version that goes to the dependent project, mainly major Linux distributions. Files responsible for the backdoor initiation appear as test ones. This explains why it took so long: to avoid detection, Jia Tan was forced into adding each piece gradually, making it look like a development routine. A proper special operation, one may say.

The resulting flaw allowed for the unauthenticated SSH access to any machine. The only condition here is the infected XZ package and SSH usage. This, in turn, endangers thousands of servers that system administrators quite commonly connect through this protocol. Linux is a backbone of cloud servers, and having such a backdoor access effectively means leaking all the data they store.

More of the special operation things surfaced during the ongoing investigation. Shortly after Jia pushed the malicious fixes, numerous XZ update requests popped up in feedback hubs of different Linux distributions. Investigators suppose that either Jia Tan or his associates posted these comments. Some of the distros adhered to them and pulled the infected version, effectively installing the malware into their product.

How Was It Discovered?

The way the backdoor was discovered, on the other hand, sounds more like a miracle. Andres Freund, the developer, noticed that the SSH authentication takes 500ms longer than usual. Also, the operation started taking more CPU power than it used to, which intrigued Anders to search for a new bug. Searches quickly led him to the updated XZ version, and consequently to the backdoor built into it.

Andres Freund released his notification regarding the malicious changes on March 29, 2024. It is still unclear how long these changes were live, but Linux distributions were using them in release versions since early March. Among them are the following distros and versions:

Mitigations and Fixes

Upon discovering the backdoor code, the project maintainers instantly took down the GitHub repository. Though, further research showed that there was no need for this. As I’ve mentioned, malicious code was hidden in test files, mainly used in dependent projects like distributions. This, however, did not make the task any easier.

Together with the developers and maintainers of affected distros, Andres Freund elaborated both the list of affected versions and possible mitigations. Users should downgrade to the versions that do not contain malicious code, or upgrade to ones where it is already gone. At the same time, the investigation keeps going, as this supply chain attack can have more severe effects.

The post XZ Utils Backdoor Discovered, Threating Linux Servers appeared first on Gridinsoft Blog.

UnitedHealth Hacked, Department Leaks Huge Amounts of Data

In February 2024, UnitedHealth Group experienced a massive cyberattack that compromised the data security of Change Healthcare. This division of the corporation processes medical claims and payments. As a result, systems responsible for processing prescriptions, medical claims and electronic payments were affected. This caused major problems for healthcare providers, pharmacies and payment systems across the country.

UnitedHealth Group responded quickly to the incident. They announced their intention to work with law enforcement to investigate the attack and strengthen security measures to protect patient data. The company also began notifying affected customers and offered them free credit history monitoring and fraud protection services as a compensation.

On Wednesday, UnitedHealth Group announced that it has made significant progress in restoring various core systems that were hit in the attack. It in particular caused an outage during the company’s response and impacted more than 100 Change Healthcare IT products and services.

Government Response

Size of UnitedHealth and its importance for the national healthcare industry could not keep the government silent. The U.S. Department of Health and Human Services has opened an investigation into the incident for a violation of the Health Information Protection and Accountability Act (HIPAA). The investigation is aimed at determining whether a breach of patient protection occurred. It also seeks to ascertain whether the relevant legal requirements for confidentiality of information were met.

UnitedHealth Group’s response was quick. They announced their intention to work with law enforcement to investigate the attack. Additionally, they vowed to strengthen security measures to protect patient data. The company also began notifying affected customers and offered them free credit history monitoring and fraud protection services.

BlackCat/ALPHV Claims Responsibility

ALPHV/BlackCat ransomware gang claimed responsibility for this attack earlier this year. Hackers announced that it was able to expropriate 6 terabytes of “highly selective data” regarding Change Healthcare customers. This information covers a wide range of data, including Tricare, Medicare, CVS Caremark, MetLife, and other large companies. It highlights the potential scale of the damage.

According to their story, UnitedHealth Group paid a $22 million ransom for a decryption key and a promise not to distribute the stolen data. This is a forced measure where the company is forced to pay huge sums to regain access to its own data and prevent further dissemination of stolen information. However, questions remain open as to whether BlackCat actually held the full ransom amount as claimed. Additionally, there are concerns about what assurances there are that the data will not be distributed or used in the future.

At the end of 2023, BlackCat’s infrastructure was seized in a coordinated law enforcement action. This severely disrupted the group’s operations for a period. Though as you can see BlackCat’s continued operations in defiance of law enforcement efforts. Disruption definitely slowed them down, but did not stop the operation entirely.

What stopped though is an exit scam, that group admins managed to pull in early March 2024. Hackers defrauded their partners, quitting the business with all the money of their affiliates. The said UnitedHealth subdivision appears to be one of their last targets – at least under this name. I expect them to resurface in this form or another.

The post UnitedHealth Hack Leaks 6 TB of User Data appeared first on Gridinsoft Blog.

Remote code execution vulnerability

A vulnerability designated with the identifier CVE-2023-24955 (CVSS: 7,2) has been discovered in the popular Microsoft SharePoint product. It includes SharePoint Enterprise Server 2013, SharePoint Server 2016 and SharePoint Server 2019. The vulnerability allows attackers to exploit the code injection vulnerability. This involves replacing a specific file (/BusinessDataMetadataCatalog/BDCMetadata.bdcm) on the server, which leads to the injected code being compiled into an assembly that SharePoint then executes. This action effectively grants the attacker the ability to execute arbitrary code on the server.

The vulnerability was originally identified by a group of security researchers who then reported their findings to Microsoft. The specifics of the vulnerability is that it exploits a flaw in the mechanism for handling specially crafted web requests. This means that for a successful attack, an attacker only needs to send a specially crafted request to a SharePoint server. Moreover, it does not require the attacker to have credentials or prior access to the victim’s network.

Remote code execution flaws are traditionally considered the most severe ones. They effectively allow attackers to execute the code they need in several systems across the environment. Such flaws can serve as both entry points and the instrument for lateral movement. And considering the popularity of Microsoft solutions, it is expected for this vulnerability to be used along with other ones within the Microsoft ecosystem.

Official Microsoft Patches and Updates

Interestingly enough, the vulnerability was fixed before it was uncovered by the researchers. The fix appeared within the course of Patch Tuesday in May 2023. Despite that, after the public disclosure, the company published security advisories and provided updates for all supported versions of the product, urging users to immediately apply patches to protect their systems. Official patches are available through Microsoft’s standard update channels and on the official support site. Though, this should have been done way earlier, considering the high CVSS score of the flaw.

At the same time, other vulnerabilities are rarely patched before the public disclosure. Protecting against them requires strong security solutions, particularly ones that can detect potential exploitation. EDR/XDR and the programs of this grade will not only protect against vulnerability exploitation, but also give you the ability to orchestrate the response to minimize the damage.

The post Microsoft SharePoint Vulnerability Exploited, Update Now appeared first on Gridinsoft Blog.

The most popular sources of such hacking tools are torrent distributions and websites with hacked software. Let me explain, what hacked software is, what risks its use entails, and whether it is profitable to use it compared to licensed software.

What is HackTool:Win32/Crack

HackTool:Win32/Crack is a generic detection that Microsoft Defender attributes to a piece of code that bypasses the license check. It is worth clarifying that it rarely refers to a stand-alone program but to a modified element of a benign app. Win32/Crack means a change in the program files or a part of it aimed at disabling the license verification mechanism.

Win32/Crack is often distributed via torrents or websites dedicated to cracked software that has its licensing system tweaked or disabled. It can be either a separate file or embedded into the executable file of the target program. By its nature, HackTool:Win32/Crack does not pose a direct threat to the system, even though the thing it does is illegal. The Defender’s detection of such tools is compulsory to fight piracy.

Is Hacktool:Win32/Crack Dangerous?

Although Win32/Crack is not dangerous, a lot of them come with other malware embedded in the same executable file. Particularly greedy authors of such software do this to monetize their effort. Such “bonuses” can include infostealers and more severe malware like ransomware. As a result, instead of saving money, the user pays a higher price, in the form of stolen confidential data or encrypted files.

How does Win32/Crack Work?

There are two different types of software cracking: by making the program believe it has a proper activation and by disabling this check completely. Both have pros and cons, and both are illegal to perform and use. Let’s have a closer look at how this works.

The methods of software cracking below are listed exclusively for educational purposes. I discourage using unlicensed software, due to both legal dangers and malware hazards. These hacking approaches are here to make a clear understanding of what exactly Microsoft Defender means as Win32/Crack.

Disabling the license check

One way to protect software from unauthorized use is by including a check license function in its startup procedures. Essentially, the software program is a set of instructions, represented as a series of bytes, executed by the CPU. During reverse engineering, the checkLicense section is identified and decompiled. A programmer may patch the binary by replacing specific bytes to bypass the check license requirement.

The patched bytes typically satisfy the check license requirement by writing values into registers or memory addresses or returning a particular status code. After patching the binary, the handyman manipulates the check license function, and the software program is considered “cracked.” However, with most apps now checking keys on their servers, this method is becoming less common.

Embedding the key

Such a crack approach emulates an online key verification process and results positively without a real internet connection. Often, in the instructions for using the app, one of the points is “deny the application access to the Internet”. This is because the license will be deactivated once the app connects to the server and uncovers that it is fake. These days, most cracks are not dependent on the connection and allow you to enter any text instead of the key.

This is how a spoofed product activation looks like (screenshot is not ours!)

This is how a spoofed product activation looks like (screenshot is not ours!)

This is how a spoofed product activation looks like (screenshot is not ours!)

In the real world, things are more complicated now, as the software will “phone home” and see if those keys are any good. This can be bypassed by sniffing/decrypting HTTPS traffic and finding the Web request that asks if the key is valid. From there, it can be intercepted, thus never letting the request reach its final destination and replying with your own (fake) response.

Handyman can make this or log and copy an already valid response. The program will believe it got the go-ahead from the server and continue operating as normal. In that case, you can/need to modify the binary so that it always thinks the answer from the server is positive. Another trick of this grade is to run a fake HTTP server that always replies positively and redirects the check.

Is it a False Positive?

In most cases, HackTool:Win32/Crack is not a false positive, with just a few exceptions. As I said at the beginning, it detects specific changes done to the program file. Microsoft Defender can mistakenly detect HackTool:Win32/Crack if there are changes in the program’s code that could be interpreted as signs of a crack. For instance, if a program uses code strings, jumpers or calls typical for Win32/Crack, the antivirus might incorrectly classify it as one. In such cases, I recommend you check the file using our free online checker.

Safety Recommendations

I’d emphasize once again – do not use pirated software at all for your safety. In addition to being illegal, pirated software is a breeding ground for malware. Once a user adds any malware or potentially unwanted software to the antivirus exceptions, it can take on a life of its own. Therefore, if you see HackTool:Win32/Crack detection, download GridinSoft Anti-Malware and perform a full scan of your device.

The post HackTool:Win32/Crack appeared first on Gridinsoft Blog.

PyPI Malware Spreading Causes Registrations Halt

Python Package Index, commonly known as PyPI, closes the registration of new users due to the wave of malware spreading through the platform. Such trouble is nothing new, as similar infestations happened in the past. Each time in the past the platform was implementing changes targeted on prevention of malware uploading in future, but the protection likely failed this time. The research from CheckPoint uncovers the entire flow of the attack.

Under the latest attack course, cybercriminals uploaded not the final payload, but a malicious script that further loads the malware. Exact repositories with these scripts were generally uploaded on March 27, with user accounts created the day before. Overall, the research unveils 576 malignant repositories.

Another thing that unites all these uploads is the use of typosquatting in their naming. Frauds were purportedly aiming at spoofing the names of popular packages. They particularly used symbol-numeric substitution (request5 instead of requests), popular typos (requestss) and slight changes like -sdk or -v1 endings. While looking as obvious fakes, they may still work out when users are in haste or distracted.

Package indexes for different programming languages are often a target of cybercriminals’ attention. Ones of the size of PyPI, which boasts of over 800,000 users, are literally Mekkas for hackers. By spreading malware in packages, they can infect both users and developers, potentially gaining a starting point for a cyberattack on a corporation, or even for a supply chain attack. Considering the wide use of Python in machine learning, this can also be leveraged for attacks on ML clusters. The latter appears to be a new point of interest for cybercriminals.

Malware in PyPI: How It Works?

Despite the scale of the attack, the way the attack works is nothing special. As I’ve said, malicious repositories contained not the exact malware, but an obfuscated loader script. The latter invoked the connection to the command server – funcaptcha[.]ru – and pulled the payload.

All the repos were spreading the same script, which deployed the same malware, regardless of the region. Those were an infostealer malware and a cryptojacker, both in a form of obfuscated code. None of them, however, belong to any of the known malware families, likely being developed for this specific attack campaign.

Infostealer targets passwords stored in browser files and session tokens of popular desktop applications. Additionally, it grabs browser cookies – another valuable source of user information. Cryptojacking malware modifies the desktop crypto wallets it detects, so they most likely change the recipient of all transactions to the frauds’ wallet. Following the action, both malware samples communicate the same C2 server as the loader script did.

Disclosure and Remediation

Shortly after uncovering the attack chain, PyPI administrators claimed the suspension of all new user registration. Consequently, they started searching for exact repositories and deleting them, which corresponds to the tactics they used before. Still, this does not solve the problem of exclusively reactive actions towards such threats.

Despite being well-known and trusted, all large package repositories suffer from the very same problem. It is too hard to track all the uploads, and strict premoderation will queue the new packages for weeks. The only variable here is which one will be the next to get the attention of adversaries. This eventually raises the question of self-defense from the developers who rely on these repos in daily tasks.

An obvious advice here is to double-check all the packages, regardless of their source. Malware receives more and more sophisticated disguises, becoming effective even against savvy and aware users. A good anti-malware software will be on hand as well: a proper one will easily detect and prevent the execution of a malicious script before it starts its mischievous job.

The post PyPI Malware Spreading Outbreak Exploits Typosquatting appeared first on Gridinsoft Blog.

Shadow Ray Vulnerability Allows for RCE

Ray, one of the most popular open source AI frameworks, contains a severe vulnerability, with hundreds of exploitation cases known at the moment. The research of Oligo Security uncovers the peculiar story of CVE-2023-48022: it was originally detected together with four others back in December 2023. While Anyscale, the developer, managed to fix the rest pretty quickly, one became a subject of discussions. The devs stated it is an intended behavior and not a bug, refusing to fix the issue.

CVE-2023-48022, coined ShadowRay, is a remote code execution flaw that stems from lack of authorization in Jobs API. The latter in fact allows anyone to create jobs for the cluster after accessing the dashboard. Among the possible jobs is code execution – a function the users need quite often in the typical workflow. This in fact was the point of controversy when another research team discovered the flaw in 2023. Anyscale insists that security around the framework and all its assets should be established by the users.

Remote code execution vulnerabilities are one of the most severe out there, as they in fact allow for simultaneous code execution on several machines. In this specific case, it is not workstations that are in danger, but ML clusters, with all the computing power and data they have.

How Critical is This Flaw?

As I said, the Ray framework is among the most popular ones for handling AI workloads. Among its users are loud names like Amazon, Netflix, Uber, Spotify, LinkedIn and OpenAI, though there are hundreds and thousands of smaller companies. Their GitHub repository boasts of over 30k stars, meaning that the total user count definitely exceeds this number. So yes, the attack surface is pretty significant.

Much worse things surface when we think about what exactly is compromised. When compared to workstations, corporate networks and servers, machine learning clusters are completely different. They are powerhouse systems, with ML workloads oriented hardware and related data, like access tokens, credentials to the connected apps, and so on. Numerous system that keep such info are interconnected using Ray framework. So a successful exploitation of ShadowRay effectively equals accessing the entirety of all this.

Despite being oriented towards AI workloads, hardware, more specifically GPUs, are still usable for other workloads. In particular, upon accessing the ML cluster, frauds can deploy coin miner malware that would fill their purses at the expense of the victim company. But what is more concerning here is the possibility of dataset leak. Quite a few companies learn their AIs using their own unique developments, or the selection of carefully picked data. Leaking corporate secrets may be critical for large companies, and fatal for smaller ones.

ShadowRay Vulnerability Exploited in the Wild

The most unfortunate part about the ShadowRay flaw is that it is already exploited in real-world attacks. Moreover, hackers most likely exploited it way before its discovery. The original research says the first exploitation cases happened back in September 2023. However, they did not stop, as there were also attacks that happened less than a month ago – in late February 2024.

Among the visible consequences of the attack were malicious coin miners that exploited the powerful hardware of hacked clusters. Hackers particularly deployed XMRig, NBMiner and Zephyr malicious miners. All of them were running off the land, meaning that static analysis was practically useless against this malware.

Less obvious, but potentially more critical was the leak of data kept on the clusters. I am talking not only about the datasets, but also workflow related information, like passwords, credentials, access tokens, and even cloud environments access. From this point of view, this is rather similar to compromising a server that handles the workflow of a software developing team.

ShadowRay Fixes Are Not Available

As I’ve mentioned above, Anyscale does not agree with the definition of absent input authentication in Jobs API as vulnerability. They believe that the user should take care about the security of the Ray framework. And I somewhat agree with this, with only one caveat: the need for a visible warning about such a “feature” during the setup. When it comes to the scale of OpenAI or Netflix, such shortcomings are inacceptable.

At the moment, the best mitigation is to filter the access to the dashboard. A properly configured firewall will fit well for this purpose. Experts also offer to set up the authentication to the Ray Dashboard port (8265), effectively fixing the vulnerability.

Use advanced security solutions that will be able to detect memory threats as well as malware on the disk. In almost all attack cases, adversaries did not leave any files on the disk, performing the attack in the LOTL form. EDR/XDR solutions may look costly, but recovering after the hack of all company’s assets costs more, both in monetary and reputational terms.

The post ShadowRay Vulnerability Threatens AI Workloads, No Patch Available appeared first on Gridinsoft Blog.

Usually, these unwanted programs are distributed as “recommended software” in freeware, shareware or cracked installers. The name “Packunwan” stands for the unwanted program that uses packing, which makes the analysis more complicated. Programs detected with this name are almost always some no-name tools or duplicates of other programs.

Protect your computer against unwanted software! GridinSoft Anti-Malware will detect the most dodgy and tricky of them before they can mischief you. Get yourself reliable protection

PUA:Win32/Packunwan Overview

The PUA:Win32/Packunwan is a potentially unwanted application (PUA) detection. However, the analysis of samples collected on the Web revealed much more malicious functionality. Due to the diverse nature of reports, it is challenging to ascertain their precise behavior without in-depth analysis. At the same time, this unwanted program was not attributed to any known developer or company, leading to speculation that these programs may be of dubious origin.

While PUAs are not necessarily viruses, they can still be disruptive and pose security risks. Packunwan typically displays unwanted advertisements on your computer. It can also track your browsing activity and change your browser settings. Among the most noticeable is the change to your homepage or search engine.

On the other hand, the behavior of this program is in fact far beyond “showing unwanted ads”. Reviewing the sample shows that it collects way too much system information, which in combination with packing and detection evasion makes it look fishy. The overall activity of Packunwan can lead to compromised privacy and malware injection.

Packunwan Technical Analysis

As I’ve just said, while analyzing Packunwan malware samples, I’ve seen a lot of questionable actions. In particular, it collects way too much info about the system. Not enough to call it a spyware, but still more than I would consider acceptable. Also, its networking is outright strange, bordering with what you would expect from dropper malware. Even though not all samples were like this, there was a consistent behavior pattern.

Launch & System Discovery

Upon execution, the reviewed Packunwan sample checks the computer’s location settings for no obvious reason. This is the standard behavior for a malware, but not a “driver updater”. To do this, it queries the registry for specific values related to country code configurations.

After that, the program starts gathering system information. By checking the selection of registry entries and system functions querying, it retrieves the list of installed software, OS information and system drivers. The latter is needed for the functionality of the “driver updater”, but can also be useful to discover whether the system is a virtual machine.

One anti-analysis trick that I am sure about is checking the disk info through the registry query. The malware checks SCSI registry keys, which uncover whether it is a virtual disk space created by a sandbox environment or a virtual machine. SCSI technology is not supported these days, and it is unlikely for a geek who tries to play with geriatric hardware to use questionable apps.

HKLM\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001
HKLM\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000

Persistence and Detection Evasion

PUA:Win32/Packunwan uses various obfuscation techniques to dodge the detection. As its name implies, its files are packed, i.e. compressed and encryted. The sample I reviewed encrypted data using RC4 PRGA. Additionally, it attempts to conceal itself by creating files in user directories with extensions that do not match the file type. It at the same time disguises the payload as a part of the “driver updater” files.

For persistence, the program creates Windows services and adds entries to Registry Run keys/startup folders. While being a rather widespread step, it remains effective, especially in poorly-protected systems. Packunwan also does not allow you to opt out the startup from the interface – a common practice among unwanted programs.

Network Communications

I’ve mentioned that Packunwan is usually distinctive for its networking activity. Though, not every sample had that much of strange things happening in the background as the one I had a deeper look on. Throughout a short period of time, it performs consequent access to the remote server. You can see the example of one of these messages below:

Sure enough, driver updaters should get the drivers they are about to install somewhere. But as far as I’m aware, not even a single program creates that much chaos in networking logs. It is either a poor software design, or the attempt to conceal something by blending it into this mess.

How To Remove PUA:Win32/Packunwan

You will need an antimalware tool to remove PUA:Win32/Packunwan. I recommend GridinSoft Anti-Malware – it will be the optimal solution in such a case. You should run a full scan, whether it is an adware PUA or a dropper. It might take a little longer, but it will guarantee a more effective cleaning.

The post PUA:Win32/Packunwan appeared first on Gridinsoft Blog.

As history shows software developers like Rostpay have already made a name for themselves in the digital marketplace as builders of unwanted software. But due to the pursuit of free software, users are taking risks that expose the security of their systems and devices.

Protect your computer against unwanted software! GridinSoft Anti-Malware will defend your system any time, in any circumstances, by your mere command. Get yourself reliable protection

What is PUABundler:Win32/Rostpay?

PUABundler:Win32/Rostpay is the name for a potentially unwanted program detected by Microsoft Defender. This is complex software that is usually distributed bundled with other applications, often without the user’s explicit consent. Such programs may include various components such as adware, browser toolbars, pseudo-system optimizers, and else.

As I wrote above, Rostpay developers bundle their free programs with unknown and almost always uncoordinated software. On the Web, a lot of users complain that numerous unwanted programs are installed in parallel with the installation of programs developed by this company.

Another part complains about the troubles these programs create. In other words, Rostpay’s software is not particularly effective, creating just a pale resemblance of real work. Its removal can also be complicated and require additional software. This results into considering such software an unwanted program.

PUABundler:Win32/Rostpay Analysis

Samples for analysis were not difficult to find – you just need to download programs from the developer Rostpay. I opted for Tesla Browser and Driver Hub for the analysis, downloaded and installed them.

Win32/Rostpay #1 – Driver Hub

Driver Hub is a software solution ostensibly designed to check and update outdated drivers on your system. But there are pitfalls here that spoil the overall picture. When we open the setup file, we see the next message:

As I’ve mentioned above, PUABundler:Win32/Rostpay usually comes with bundled software, and this checks out in my test with Driver Hub. Instead of Yahoo, the offered programs may differ depending on the product you install and your location.

What did not happen to me, but was an often point of user complaints after Rostpay activity is various system troubles. People particularly tell about Internet connectivity issues, keyboard input problems, and similar bugs. Most probably, they are the outcome of the installation of a faulty driver – at least, these symptoms sound like driver issues.

That is actually one major problem with any “driver updater” software – they barely have the most recent and correctly working drivers for all hardware. All attempts to create such a thing fail for one reason – it is too much of a hardware out there. And Driver Hub is no exception.

Win32/Rostpay #2 – Tesla Browser

Tesla Browser is yet another thing detected as PUABundler:Win32/Rostpay. According to the advertising promises, it is a web browser that offers an improved surfing experience on the Internet. However, not everything is as rosy as it seems at first glance. The first questionable thing pops up during the installation: the offer to install an unrelated program.

Though, Tesla Browser itself can come in the very same bundle, hidden as a “recommended software”. Such unwanted programs spread quite literally through budding: one contains 2 others, and each of them in turn install another two. So yes, one unwanted program can make a mess that will be hard to ignore.

The biggest problem with the Tesla Browser is that it can act as adware or a browser hijacker. Forget about what they promise on the website – no “advanced security features” or “regular updates”. This browser can redirect your queries to a random search engine, and display modified search results, filled with promotions. And even when you do not use it, the pop-ups with offers to install plug-ins or other stuff will keep popping up in other browsers.

Removing Win32/Rostpay and other PUAs from PC

I recommend GridinSoft Anti-Malware, which will easily remove all remnants of Win32/Rostpay and all the garbage installed with it. And in general, the program will provide a decent real-time protection of your system.

Uninstalling Win32/Rostpay as well as other software that was installed together without your permission is possible in manual mode. However, there is a risk that you will not be able to clean all the elements that unwanted programs leave in the system. Their sheer volume can also make the removal process a rather time-consuming endeavour. High-quality antivirus software will facilitate this process and save you time.

The post PUABundler:Win32/Rostpay appeared first on Gridinsoft Blog.