Vulnerable ASP.NET Keys Used to Unlock PC Security

ASP.NET keys, malicious code, malicious ViewState, Microsoft, monitor applications, Ophtek, System Updates, , , , , ,
04
Mar 2025

Attackers are exploiting exposed ASP.NET keys to inject malicious code into web applications, leading to unauthorized access and potential data breaches.

Microsoft has announced that a major security issue has been identified where cybercriminals are taking advantage of publicly available ASP.NET machine keys. These keys, usually used to secure web applications, are being altered to insert harmful code, compromising the security of affected systems.

What is ASP.NET and How Does it Work?

ASP.NET is a free framework developed by Microsoft to help people build web applications and services. Part of this framework involves a feature called ViewState, used to help web pages remember user data and maintain this information across different sessions. To protect this data, ASP.NET uses machine keys such as ‘validationKey’ and ‘decryptionKey’ to ward off any malicious activities. These keys are used to encrypt and validate the data, ensuring it remains secure and confidential.

However, an investigation by Microsoft’s Threat Intelligence team has discovered that some developers are copying these machine keys from online sources, such as repositories, and using them in their own applications. This practice quickly becomes a risk when the same keys are reused across multiple applications or when they can easily be found. These scenarios allow threat actors to find these keys and use them to create malicious versions of ViewState data.

How has ViewState Been Compromised?

When a threat actor gets hold of a machine key used by a target application, they can create a malicious ViewState – this is a piece of data typically trusted by the application and won’t ring any alarm bells. The malicious ViewState is sent to the server through a POST request. As the ViewState is signed with the correct machine key, the receiving server believes it’s genuine. Once this data has been received and processed, the server unknowingly executes the malicious code embedded within the ViewState.

This method grants threat actors remote access to the compromised server and free rein to execute any processes they want. So, for example, the threat actors could download additional malware, steal sensitive information, and take full control of the server. In one case, the attackers used this technique to launch a cryptocurrency miner on a compromised server. This allowed the threat actors to take control of any PCs on the infected server and use their resources to generate digital currencies. This may sound harmless but it’s at the expense of the PCs performance.

Protecting Yourself from Malicious ViewState

ASP.NET is highly popular and is used by countless websites, so it’s important that we understand the best way to protect users of the framework. Here’s Ophtek’s three top tips for safe usage of ASP.NET:

  1. Use Unique and Secure Keys: Developers using ASP.NET should generate unique machine keys for each application. Always avoid copying keys from online sources or reusing them in other applications. This practice ensures that even if one application’s key is compromised, others remain secure.
  2. Regularly Update Systems: It’s paramount that, as with all software, your web applications and servers are up to date with the latest security patches. Regular updates help you address zero-day vulnerabilities and reduce the risk of your IT infrastructure being compromised.
  3. Monitor Application Activity: You should always use monitoring tools to keep an eye on application behavior. Unusual activities, such as unexpected POST requests or unauthorized installs, can be early indicators of a developing attack. By conducting regular audits, you can increase your chances of stopping an infection before it causes damage.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Lazarus Exploits Open-Source Software and Infects it

cyberattack, data-stealing malware, Lazarus, North Korea, Ophtek, SecurityScorecard, , , , , ,
25
Feb 2025

North Korean hackers from the Lazarus Group have launched a major cyberattack by cloning open-source software and infecting it with malware.

A recent cyberattack has found the North Korean hacking group Lazarus targeting software developers by modifying open-source tools to include malware. Open-source software, freely available for anyone to use or modify, has become a crucial part of software development. However, Lazarus exploited this understanding by injecting malicious code into genuine software. This led to numerous systems becoming compromised, particularly those used by developers in the Web3 and cryptocurrency industries.

Lazarus Attacks Open-Source Software

SecurityScorecard, a cybersecurity organization, discovered that Lazarus had carried out a supply-chain attack known as “Phantom Circuit.” Lazarus selected popular open-source projects to target and embedded malicious code into them. These compromised tools were then uploaded to code-sharing platforms such as GitLab, where developers soon downloaded and started using them.

Once executed, the compromised software set about installing data-stealing malware on the victims’ PCs. The malware’s main objective was harvesting sensitive data such as login credentials, authentication tokens, and other security information. This gave the threat actors full and unauthorized access to their targets’ accounts, allowing them to modify and steal digital assets.

Over 1,500 victims were affected, with the majority being located in Europe, India and Brazil. SecurityScorecard were keen to point out that many of the victims were software engineers, mostly working in cryptocurrency and blockchain technology. In particular, Lazarus targeted modified repositories which hosted Web3 development tools, authentication systems, and cryptocurrency software. These are all attractive targets for threat actors who are looking to make a quick buck through nefarious means and cause digital chaos to IT infrastructures.

How to Protect Yourself

Lazarus has committed numerous cyberattacks in the recent past, with Ophtek previously reporting on their attack on healthcare organizations in 2023. A powerful hacking group, Lazarus has the potential to create powerful and devastating malware. Accordingly, you need to make sure your IT defenses are secure against them and similar hacking groups.

Cybersecurity awareness, as ever, is key to protecting your digital assets, so make sure you follow these best security practices:

  • Verify Your Software Sources: always double-check where your software is coming from before you hit that download button. Stick to official developer websites and trusted repositories e.g. regularly updated GitHub projects. If a new tool appears out of nowhere or is uploaded by an unknown user, think twice before installing it. If in doubt, remember the golden advice: double check it with an IT professional.
  • Keep Your Security Software Updated: first of all, make sure you have antivirus and anti-malware software protecting your systems – these can be downloaded from companies such as AVG and Kaspersky. Secondly, as new cyber threats emerge every day, you need to keep your security software up to date to protect you from new malware. Regular updates will ensure you stay one step ahead of the threat actors.
  • Train Your Employees: Well-trained employees are your first line of defense against cyber threats. Regular cybersecurity training can help your staff recognize phishing attempts, avoid suspicious links, and practice safe browsing and downloading habits. By keeping your team trained and up to date, you can ensure employees stay aware of evolving threats, reducing the risk of security breaches.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Hacker Targets Over 18,000 Script Kiddies with Malware

fake malware builder, Ophtek, Remote Access Trojan, script kiddies, XWorm, , , , ,
18
Feb 2025

A hacker has tricked over 18,000 aspiring cybercriminals into downloading a fake malware builder which secretly infects their computers.

Yes, even threat actors can find themselves falling victim to their fellow hackers. In this surprising case, threat actors attempting to access malicious tools for committing cybercrimes were targeted by a more experienced hacker. These beginner hackers – known as “script kiddies” due to their limited skills – were tricked into downloading what they believed was a tool to create malware. Instead, they soon discovered that this ‘tool’ infected their devices.

Naturally, most readers of the Ophtek blog are looking to protect their IT systems rather than committing cybercrimes. Nonetheless, this cautionary tale contains plenty of lessons to be learned for all PC users.

The Hunter Becomes the Hunted

At the center of this attack is a weaponized version of a malware creation tool, one designed to generate the XWorm Remote Access Trojan. The attacker uploaded this fake tool to multiple platforms including GitHub repositories, Telegram channels, and YouTube tutorials. Advertised as a free and effective way to create malware, the bait was set to attract victims looking for a shortcut to their hacking goals. And they certainly took the bait, over 18,000 of them.

Unfortunately, once the program was executed, it was far from helpful. Instead of generating malware, the tool set about installing a backdoor on the victim’s PC. This gave the attacker unauthorized access to the now compromised system. With free rein to the infected PC, the threat actor could steal personal information, monitor activity on the PC, and take full control of the device. The attack claimed countless victims, with affected machines reported from the United States to Russia.

Researchers also found that the threat actor included a kill switch within the malware; this was later used to uninstall the malicious software from many of the infected machines. However, some systems remained infected and at risk of being compromised further. Quite why this kill switch was included is a mystery. Hackers rarely want to see their efforts curtailed, but it may be that this particular attack was an experiment or a rehearsal for something much bigger.

How Can Your Protect Your PCs?

This latest attack highlights the risks of downloading software from untrusted sources, even if you happen to be a hacker yourself. So, with everyone at risk of similar attacks, we’ve put together three important tips to keep you safe:

  1. Only Download from Trusted Sources: Make sure you always use reputable and official websites for downloading software. Avoid downloading files from unfamiliar websites, torrent sites, or websites which look suspicious – if in doubt, check with an IT professional.
  2. Use Antivirus Tools: Install and maintain up-to-date software – such as AVG and Kaspersky – on your devices. These tools, which are available as free versions, provide a crucial line of defense against malware threats.
  3. Remain Cautious: Stay updated on the latest cybersecurity trends and threats – you can make a start by bookmarking the Ophtek blog. Always be suspicious of anything online which sound too good to be true, such as free access to subscriber-only tools, or urgent calls to install vital updates.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Threat Actors Start Hiding Malware within Website Images

archive.org, generative AI, malicious code, Obj3tivityStealer, Ophtek, Phishing, VIP Keylogger, website images, , , , , , ,
11
Feb 2025

Cybercriminals are increasingly embedding malware within website images to evade detection and compromise IT systems.

Recent investigations have revealed a growing trend among threat actors: hiding malicious code within image files hosted on trusted websites. This approach allows the attackers to bypass traditional security measures, which tend to trust well-known and widely used websites. As ever, the attack begins with a phishing email designed to trick the victim into unleashing the malware. The phishing email in question has taken numerous forms such as invoices or purchase orders. Once opened, the file exploits a Microsoft Office vulnerability.

Emails are an essential part of business, so it’s crucial that you understand how this attack works to keep your IT infrastructure safe.

Unpacking the Image Attack

The vulnerability at the heart of the attack can be found in Microsoft Office’s Equation Editor (CVE-2017-11882). This vulnerability enables a malicious script to run, downloading an image file from a trusted website (such as archive.org). The image may, to the average PC user, look harmless, but hidden within its metadata is a malicious code. This is used to automatically install spyware and keyloggers such as VIP Keylogger and Obj3tivityStealer. These slices of malware allow the threat actors to monitor your systems, harvest sensitive data, and gain access to financial information.

What’s interesting – or disturbing, depending on your perspective – about the attack is that it appears to harness the power of AI. Cybercriminals are increasingly turning to generative AI to create convincing phishing emails, malicious scripts, and even HTML web pages which can host malicious payloads. This is making attacks much easier to launch while also lowering the barriers to entry around your IT networks.

Keeping Your IT Systems Secure

No business wants keyloggers and spyware downloaded onto their IT infrastructure, so it’s vital that you keep it secure and protected. It’s impossible to keep it 100% safe, but you can optimize its strength by following these three tips:

  1. Regularly Update Your Software: make sure all your software, especially Microsoft Office applications, is up to date. Software developers release regular updates to patch vulnerabilities – like CVE-2017-11882 – which attackers seek to exploit. As well as enabling automatic updates, schedule regular checks for patches to ensure that critical updates are not missed. And remember, this applies to all software on your networks.
  2. Use Advanced Email Security: always utilize email filtering tools to automatically block phishing emails before they reach your staff. These highly effective solutions can scan all incoming messages for suspicious links, attachments, or blacklisted senders to prevent them from reaching your employee inboxes. Also, make sure your team are educated on the danger signs of a phishing email. Regular training and refresher sessions can help maximize the security of your first-line defenses.
  3. Monitor Network Activity: Use network monitoring tools to detect unusual activities, such as unexpected downloads or unauthorized connections. These tools can indicate potential threats early, allowing you to respond quickly before threat actors secure a foothold within your systems. Make sure that you establish a program of regular reviews for your activity logs, this approach will enable you to spot anomalies and take action.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Malicious Chrome Extensions Threaten Millions

Bard AI Chat, ChatGPT, Cyber Attack, Facebook Ads, Google Chrome, Google Meet, malware, Ophtek, Phishing, , , , , , ,
04
Feb 2025

A recent cyberattack has compromised several popular Google Chrome extensions, infecting millions of users with data-stealing malware.

In early January 2025, cybersecurity researchers at Extension Total discovered a malicious campaign targeting Chrome extensions which offer AI services. The threat actors hijacked at least 36 extensions – including Bard AI Chat, ChatGPT for Google Meet, and ChatGPT App – with approximately 2.6 million users affected. This widespread attack has raised the alarm among users and software developers as, previously, these extensions were highly trusted.

With 3.45 billion people using Chrome as their browser, it’s no surprise that threat actors would target it. This attack is especially ingenious, so we’re going to take a deep dive into it.

How Were the Chrome Extensions Compromised?

The affected extensions may be named after popular AI tools like Bard and ChatGPT, but they are third-party applications with no development from Google or OpenAI. Third-party extensions can, of course, be legitimate, but these compromised extensions were far from helpful. Instead, they were used to deliver fake updates containing malware.

The malware was designed to steal sensitive user information, specifically targeting data related to Facebook Ads accounts. Therefore, this posed a significant threat to businesses which rely on Facebook for marketing and sales. With this stolen data, the threat actors could use it for unauthorized access, financial and identity theft, or to fuel phishing attacks.

In response to the attack, many of the affected extensions have been removed from the Chrome Store to limit further infections. However, others remain available, exposing users to the malware. Chrome, as we’ve already mentioned, is hugely popular with around 130,000 extensions are available to install. The risk of a security incident, as you would imagine, is high; this recent attack underscores the importance of practicing vigilance when installing extensions.

Staying Safe from Rogue Chrome Extensions

Browser extensions are designed to help users by enhancing functionality and making everyday browsing easier. However, this recent attack has also demonstrated that they’re a security risk. Ophtek wants to keep you safe from similar attacks, so we’ve put together our top tips for protecting your PC from rogue extensions:

  • Install Extensions from Trusted Sources: you should only ever download extensions from reputable developers and official web stores. Before hitting that install button, always carry out some research on the developer, read user reviews, and check ratings to assess how legitimate it is.
  • Limit Extension Permissions: extensions often require permissions to function correctly on your PC but be very careful of any extension which requests a long list of permissions e.g. access to browsing data, microphone control, and cookies. You should only ever grant permissions to what is necessary for the extension to operate. If in doubt of a permission request, seek help from an IT professional.
  • Update Extensions: always ensure your extensions are kept up to date, as developers often release patches to fix security vulnerabilities. Regularly check for updates and keep an eye out for any unusual browser behavior such as strange pop-ups, redirects to other sites, or performance issues. Additionally, if you have extensions you no longer use, remove these to reduce your exposure to risk

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More
1 2 3 4 5 127