
Channel Asia Innovation Awards 2022
Innovation Awards 2023 is the market-leading awards program for celebrating ecosystem innovation and excellence across the technology sector in ASEAN.
Attackers know how to manage and monitor our systems better than we do. They will analyse how best to gain entrance to our networks.
Attackers have found yet another way to deploy malware into our networks: a process called sideloading. Sideloading is the installation of an app onto a device from a trusted source such as the Microsoft Store. Attackers can exploit the process by convincing users they are installing a trustworthy app that actually carries a malicious payload.
Sophos recently blogged about an attack that attempted to trick Sophos staff with a targeted email and then used sideloading to install a custom application hosted on the Microsoft Store (now removed).
The application would have installed malware and ransomware into a network. We’ve also seen attackers use Office 365 third-party applications to gain access to a network and steal key information. So, what options do users have to block and defend themselves from sideloading attacks?
Teach users to spot risks
First, end user education is a key way to keep the network secure. An appropriately paranoid end-user will often stop, think and not click on something and send the offending email to the help desk to review. I also recommend that customers perform phishing simulations to see if their users are phishing aware.
Block sideloading attacks using Intune
Users can block sideloading using Group Policy, registry settings or Intune settings. In Intune, users can set a Windows 10 Device restriction policy with these steps:
Block sideloading attacks using Group Policy
Users can also follow these steps in Group Policy to block sideloading attacks. Select in order:
Disabling these policies ensures that any malicious sideloading applications can’t be snuck into the platform. It also means that any legitimate Microsoft Store application can’t be installed, so users may need to enable and disable as needed.
Block sideloading attacks using a registry key
To block sideloading via a registry key, edit the HKEY local machine and then look for the settings under Software, Policies, Microsoft, Windows, and App. Use a DWORD value of “0” to block sideloading.
Registry Hive HKEY_LOCAL_MACHINE
Registry Path Software\Policies\Microsoft\Windows\Appx
Value Name AllowAllTrustedApps
Value Type REG_DWORD
Enabled Value 1
Disabled Value 0
Preventing sideloading attacks in Office 365
I’ve also seen reports that Office 365 third-party applications have been used to obtain more rights in the network or steal information from a network. I strongly recommend reviewing the policy setting for “Manage user consent to apps in Microsoft 365” and set up an admin approval flow so that any user who either requests access to an application or inadvertently allows third-party application access has to go through an administrative user approval process.
In the Admin Center, select in order:
Users may wish delegate rights to approve such requests to certain users. While the approval can come from a global administrator, it might not be feasible in a larger network. The approvals can also go to a cloud application administrator or application administrator.
To set up approval rights, follow these steps:
Select the users to review admin consent requests for this workflow from a set of users that have the global administrator, cloud application administrator, or application administrator roles. Users must designate at least one reviewer before the workflow can be turned on. These users must have at least an application administrator role before the role can take effect; merely selecting usernames will not elevate them to the proper right.
Selected users will receive email notifications for requests. They'll want to enable or disable email notifications to the reviewers when a request is made. Selected users will receive request expiration reminders. Enable or disable reminder email notifications to the reviewers when a request is about to expire.
Finally, set the number days after which a consent request expires. The user in the administrative review role should be trained to react to these approval processes in a reasonable time frame.
Attackers know that users often install applications. Ensure that network settings protect the network from such entry processes. Then “patch" humans and train them to be more aware of these attack techniques.
Innovation Awards 2023 is the market-leading awards program for celebrating ecosystem innovation and excellence across the technology sector in ASEAN.
CIO Appetite For AI Is Peaking, But They Need The Channel To Deliver