IAB Attack Comedy: When Leaked Machine Keys Make Cybersecurity a Real Page-Turner!
Unit 42 researchers discovered a campaign exploiting leaked Machine Keys to breach organizations. The initial access broker (IAB) then sells this access to other threat actors. The temporary group TGR-CRI-0045, linked to Gold Melody, has targeted industries in Europe and the U.S. using ASP.NET View State deserialization.
Hot Take:
In the latest escapade of cyber-mischief, a group of digital tricksters known as TGR-CRI-0045 has been exploiting the virtual equivalent of a skeleton key to sneak into organizations’ online safe houses. Their weapon of choice? Leaked Machine Keys from ASP.NET sites. Think of it as finding your neighbor’s front door key under their doormat and letting yourself in to raid the cookie jar. Only in this case, the cookie jar is a server, and the cookies are sensitive data. Bravo, digital burglars!
Key Points:
- Initial Access Broker (IAB) TGR-CRI-0045 exploits leaked Machine Keys to infiltrate organizations.
- The group uses ASP.NET View State deserialization to execute malicious payloads in server memory.
- Victims are primarily in the financial, manufacturing, and tech sectors across Europe and the U.S.
- Detection is challenging due to minimal on-disk presence and stealthy in-memory operations.
- Recommendations include reviewing Microsoft’s guidance on Machine Key security.