Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Microsoft security. Show all posts
Security Flaws
Cyber Security Extension Malware Detection Malwares Marketplace Microsoft Microsoft security Ransomwares Security Flaws

Ransomware Found in VSCode Extensions Raises Concerns Over Microsoft’s Security Review

 

Cybersecurity experts have discovered ransomware hidden within two Visual Studio Code (VSCode) Marketplace extensions, raising concerns about Microsoft’s ability to detect malicious software in its platform. The compromised extensions, named “ahban.shiba” and “ahban.cychelloworld,” were downloaded by users before security researchers flagged them and they were subsequently removed. 

Despite Microsoft’s security measures, the extensions remained publicly accessible for a significant period, highlighting potential gaps in the company’s review process. The “ahban.cychelloworld” extension was first uploaded on October 27, 2024, followed by “ahban.shiba” on February 17, 2025. The VSCode Marketplace, designed to provide developers with additional tools for Microsoft’s popular coding platform, has come under scrutiny for failing to identify these threats. 

Researchers at ReversingLabs determined that both extensions included a PowerShell script that connected to a remote Amazon Web Services (AWS) server to download further malicious code. This secondary payload functioned as ransomware, though evidence suggests it was still in a testing phase. 

Unlike traditional ransomware that encrypts entire systems, this malware specifically targeted files stored in C:\users%username%\Desktop\testShiba.  Once the encryption was complete, victims received a Windows notification stating: “Your files have been encrypted. Pay 1 ShibaCoin to ShibaWallet to recover them.” However, no further instructions or payment details were provided, suggesting the malware was not yet fully developed.  

Although Microsoft eventually removed the extensions, security researcher Italy Kruk from ExtensionTotal disclosed that their automated detection system had identified the malicious code much earlier. Kruk stated that they had alerted Microsoft about the issue but received no response. Further analysis revealed that the initial version of “ahban.cychelloworld” was clean, but the ransomware was introduced in version 0.0.2, which was released on November 24, 2024. ExtensionTotal flagged this version to Microsoft on November 25, yet the extension remained available for months. 

During this time, five more versions were uploaded, all containing the same ransomware. This case has intensified concerns about Microsoft’s ability to monitor third-party extensions effectively. The security lapse within the VSCode Marketplace highlights the risk developers face when downloading extensions, even from official sources. Microsoft has previously faced criticism for both slow responses to security threats and for mistakenly removing non-malicious extensions. 

A notable example involved two popular VSCode themes, ‘Material Theme – Free’ and ‘Material Theme Icons – Free,’ which were taken down due to suspected obfuscated JavaScript. However, after further review, Microsoft determined the extensions were safe, reinstated them, and apologized, promising improvements to its security screening process. The presence of ransomware in widely used developer tools underscores the need for stronger security measures. Developers must stay cautious, regularly update security protocols, and carefully evaluate third-party extensions before installing them, even when they come from official platforms like the VSCode Marketplace.
Read more »
Microsoft security
ASP.NET cryptographic keys Cyber Crime Fraud Management Microsoft security

Hackers Exploit Exposed Security Keys to Inject Code into Websites

 



Cybercriminals are exploiting leaked cryptographic keys to manipulate authentication systems, decode protected data, and install harmful software on vulnerable web servers. These attacks can give hackers unauthorized control over websites and would allow them to maintain access for long periods.  


How Hackers Use Publicly Available Keys

Microsoft's cybersecurity experts have recently detected a new wave of Internet threats in which attacking groups use exposed ASP.NET machine keys to break into web applications. These keys are sometimes kept private, but they were nonetheless discovered in public code repositories so that hackers could easily gain access to and misuse them.  

Once the criminal possess this key, he would be able to manipulate ViewState, a methodology in ASP.NET Web Forms considered to store and manipulate user data between page interactions. If ViewState data with malicious content is injected by the attacker, the web server would then validate it and process it, allowing the hacker to execute harmful commands on that system.  

Microsoft, on its part, is tracking that more than 3,000 machine keys have been publicly leaked, putting numerous web applications at risk of code injection attacks.  


The Godzilla Malware Threat

In December 2024, evidence was found that an unidentified hacker group installed the military-grade malware Godzilla in a compromised machine with long-term access and control through an exposed ASP.NET machine key:  

Once this malware makes its way into the compromised system, the hackers can:  

- Run unauthorized commands on the web server.  

- Install additional malware to expand their control.  

- Maintain access even if initial security gaps are patched.  

Microsoft states these attacks are particularly concerning since leaked keys are available to the public, thus allowing many attackers to take advantage of this vulnerability.  


Why Publicly Exposed Machine Keys Are Dangerous

Previously, attackers sold stolen cryptographic keys in underground markets, but Microsoft now finds this case to be many freely exposed keys on public sites. It sure enhances the risks of exploitation.  

The threats include:  

- Developers could unwittingly copy exposed keys into genuinely existing projects, thereby rendering their applications exploitable.  

- Attackers could set up a script to carry out attacks against the known keys, which would allow for widespread exploitation.  

- One compromised key can cause a breach in multiple applications.  


Recommendations From Microsoft Security

To defend against these attacks, Microsoft thus recommends that organizations carry out the following:  

- Never use publicly available machine keys; generate application-specific keys at all times.  

- To limit the risks of long-term exposure, regular updates and rotations to cryptographic keys should be put into practice.  

- Check for exposed keys using Microsoft security tools and revoke any that are found.  

- Securely upgrade ASP.NET applications to the most recent version, preferably ASP.NET 4.8, which will have the strongest security protections.  

- Strengthening Windows Servers from persistent malwares through enabling security modules like Antimalware Scan Interface (AMSI) and attack surface reduction rules.  


What to Do If a System Has Been Compromised

If an organization feels its servers are under attack, it is insufficient to merely replace machine keys to avert any subsequent attacks. Microsoft suggests:  

1. To pay for a complete security investigation in order to search for backdoors and unauthorized users.  

2. Clear all malicious scripts and files from the system.  

3. Rebuild the server if necessary, to clear any other prospects of threats.  

Organizations using ASP.NET applications in web farms should replace remaining machine keys with automatically generated values that are securely stored in the system registry.  

Over 3,000 exposed cryptographic keys entail a major concern for cybersecurity since attacking groups can easily compromise web applications. Such a breach also becomes dreadful because it allows hackers to stay undetected in the system for long-spanning periods of time.  

Thus, in a bid to stay safe, businesses and developers ought to avoid using public keys, update their security settings regularly and harden defenses against malware. Every step above can assist the organizations in keeping unauthorized people out thus securing their web applications against exploitation.




Read more »
Subscribe to: Posts (Atom)