Search This Blog

Powered by Blogger.

Blog Archive

Labels

About Me

Showing posts with label Fraud Management. Show all posts

Hackers Exploit Exposed Security Keys to Inject Code into Websites

 



Cybercriminals are exploiting leaked cryptographic keys to manipulate authentication systems, decode protected data, and install harmful software on vulnerable web servers. These attacks can give hackers unauthorized control over websites and would allow them to maintain access for long periods.  


How Hackers Use Publicly Available Keys

Microsoft's cybersecurity experts have recently detected a new wave of Internet threats in which attacking groups use exposed ASP.NET machine keys to break into web applications. These keys are sometimes kept private, but they were nonetheless discovered in public code repositories so that hackers could easily gain access to and misuse them.  

Once the criminal possess this key, he would be able to manipulate ViewState, a methodology in ASP.NET Web Forms considered to store and manipulate user data between page interactions. If ViewState data with malicious content is injected by the attacker, the web server would then validate it and process it, allowing the hacker to execute harmful commands on that system.  

Microsoft, on its part, is tracking that more than 3,000 machine keys have been publicly leaked, putting numerous web applications at risk of code injection attacks.  


The Godzilla Malware Threat

In December 2024, evidence was found that an unidentified hacker group installed the military-grade malware Godzilla in a compromised machine with long-term access and control through an exposed ASP.NET machine key:  

Once this malware makes its way into the compromised system, the hackers can:  

- Run unauthorized commands on the web server.  

- Install additional malware to expand their control.  

- Maintain access even if initial security gaps are patched.  

Microsoft states these attacks are particularly concerning since leaked keys are available to the public, thus allowing many attackers to take advantage of this vulnerability.  


Why Publicly Exposed Machine Keys Are Dangerous

Previously, attackers sold stolen cryptographic keys in underground markets, but Microsoft now finds this case to be many freely exposed keys on public sites. It sure enhances the risks of exploitation.  

The threats include:  

- Developers could unwittingly copy exposed keys into genuinely existing projects, thereby rendering their applications exploitable.  

- Attackers could set up a script to carry out attacks against the known keys, which would allow for widespread exploitation.  

- One compromised key can cause a breach in multiple applications.  


Recommendations From Microsoft Security

To defend against these attacks, Microsoft thus recommends that organizations carry out the following:  

- Never use publicly available machine keys; generate application-specific keys at all times.  

- To limit the risks of long-term exposure, regular updates and rotations to cryptographic keys should be put into practice.  

- Check for exposed keys using Microsoft security tools and revoke any that are found.  

- Securely upgrade ASP.NET applications to the most recent version, preferably ASP.NET 4.8, which will have the strongest security protections.  

- Strengthening Windows Servers from persistent malwares through enabling security modules like Antimalware Scan Interface (AMSI) and attack surface reduction rules.  


What to Do If a System Has Been Compromised

If an organization feels its servers are under attack, it is insufficient to merely replace machine keys to avert any subsequent attacks. Microsoft suggests:  

1. To pay for a complete security investigation in order to search for backdoors and unauthorized users.  

2. Clear all malicious scripts and files from the system.  

3. Rebuild the server if necessary, to clear any other prospects of threats.  

Organizations using ASP.NET applications in web farms should replace remaining machine keys with automatically generated values that are securely stored in the system registry.  

Over 3,000 exposed cryptographic keys entail a major concern for cybersecurity since attacking groups can easily compromise web applications. Such a breach also becomes dreadful because it allows hackers to stay undetected in the system for long-spanning periods of time.  

Thus, in a bid to stay safe, businesses and developers ought to avoid using public keys, update their security settings regularly and harden defenses against malware. Every step above can assist the organizations in keeping unauthorized people out thus securing their web applications against exploitation.




DDoS Attacks: Becoming More Powerful & Shorter in Duration

 

Microsoft says that it witnessed distributed denial-of-service attacks turn shorter in duration in 2022 while also becoming more effective and capable of greater impact. As per Microsoft's DDoS trends report for 2022, the United States, India, and East Asia topped the targeted regions for DDoS attacks, among others, and internet of things devices remained the preferred choice for launching these attacks. DDoS attacks in 2022 lasted less than an hour on average, and attacks lasting 1 or 2 minutes accounted for one-fourth of total attacks last year.

According to the tech giant, the attacks were shorter because bad actors required fewer resources to carry them out, and security teams are finding it difficult to defend against them using legacy DDoS controls. "Attackers frequently use multiple short attacks over the course of several hours to make the most impact while using the fewest resources," Microsoft says.

The daily average was 1,435 DDoS attacks, with the highest number being 2,215 on September 22. During the holiday season, the volume of DDoS attacks increased significantly until the last week of December.

In Azure Aloud, Microsoft documented a 3.25 terabyte-per-second attack as the "largest attack" in 2022. This is less than the previous largest known DDoS attack, which had an intensity of  3.47 TB per second at its peak.

TCP reflected amplification attacks are becoming more common and powerful, according to Microsoft, and more diverse types of reflectors and attack vectors are typically exploiting "improper TCK stack implementation in middleboxes, such as firewalls and deep packet inspection devices." Attackers impersonate the target's IP address to send a request to a reflector, such as an open server or middlebox, which response to the target, such as a virtual machine.

TCP reflected amplification attacks can now reach "infinite amplification" in some cases. A reflected amplified SYN+ACK attack on an Azure resource in Asia in April 2022 reached 30 million packets per second and lasted 15 seconds.

The attack throughput was not particularly high, but there were 900 reflectors involved, each with retransmissions, resulting in a high pps rate that can bring down the host and other network infrastructure," according to the report.

Preferred Mode of Attack for IoT Devices

According to Microsoft, adversaries preferred IoT devices to launch DDoS attacks, a trend that has been growing in recent years. During the Russia-Ukraine war in 2022, the use of IoT devices increased.

Botnets used by nation-state actors and criminal enterprises, such as Mirai, have been adapted to infect a wide range of IoT devices and support new attack vectors. "While Mirai is still a major player in the field of botnets, the threat landscape in the field of IoT malware is evolving, with new botnets emerging such as Zerobot and MCCrash," Microsoft said.

TCP attacks were the most common type of DDoS attack in 2022, accounting for 63% of all DDoS attacks recorded, followed by UDP attacks at 22%.
 
Politically motivated DDoS attacks have risen to prominence, particularly in the year since Russia's invasion of Ukraine. KillNet, a Russian hacktivist group loyal to Moscow, actively recruited volunteers to launch DDoS attacks against Western nations.

KillNet has launched 86 attacks against pro-Ukraine countries since the war began in February, according to the CyberPeace Institute, which tracks publicly disclosed attacks related to the Russia-Ukraine war.