Microsoft Malware Keys: Latest Updates and Analysis

New Microsoft script updates Windows media with bootkit malware fixes

Microsoft has released a PowerShell script to help Windows consumers and admins modification bootable media so it utilizes the new "Windows UEFI CA 2023" certificate before the mitigations of the BlackLotus UEFI bootkit are enforced later this year.

BlackLotus is a UEFI bootkit that can bypass Secure Boot and gain control over the operating system's boot process. Once in control, BlackLotus can disable Windows security aspects, such as BitLocker, Hypervisor-Protected Code Integrity (HVCI), and Microsoft Defender Antivirus, allowing it to deploy malware at the highest privilege level while remaining undetected.

In March 2023 and then July 2024, Microsoft released security updates for a Secure Boot bypass tracked as CVE-2023-24932 that revokes vulnerable boot managers used by BlackLotus.

However, this fix is disabled by default, as incorrectly applying the upgrade or conflicts on devices could cause the operating system to no longer load. Instead, rolling out the fix in stages allows Windows admins to test it before it is enforced sometime before 2026.

When enabled, the security revision will add the "Windows UEFI CA 2023" certificate to the UEFI "Secure Boot Signature Database." Admins can then install newer boot managers that are signed with this certificate.

This process also includes updating the Secure Boot Forbidden Signature Database (DBX) to add the "Windows Production CA 2011" certificate. This certificate is used to sign older, vulnerable boot managers, and once revoked, will cause those boot managers to become untrusted and not load.

However, if you apply the mitigations and run into an issue booting your devices, you must first modification your bootable media to use the Windows UEFI CA 2023 certificate to troubleshoot the Windows install.

"If you encounter an issue with the device after applying the mitigations and the device becomes unbootable, you might be unable to start or recover your device from existing media," Microsoft explains in a support bulletin about the staged rollout of fixes for CVE-2023-24932.

"Recovery or install media will need to be updated so that it will work with a device that has the mitigations applied."

Yesterday, Microsoft released a PowerShell script that helps you revision bootable media so it uses the Windows UEFI CA 2023 certificate.

Script to apply CVE-2023-24932 mitigations to bootable Windows media.

"The PowerShell script described in this article can be used to revision Windows bootable media so that the media can be used on systems that trust the Windows UEFI CA 2023 certificate," explains a new support bulletin about the script.

The PowerShell script can be downloaded from Microsoft and can be used to revision bootable media files for ISO CD/DVD image files, a USB flash drive, a local drive path, or a network drive path.

To utilize the utility, you must first download and install the Windows ADK, which is necessary for this script to work correctly.

When run, the script will revision the media files to use the Windows UEFI CA 2023 certificate and install the boot managers signed by this certificate.

It is strongly advised that Windows admins test this process before the enforcement stage of the security updates is reached. Microsoft says this will happen by the end of 2026 and will give a six-month notice before it begins.

British-based engineering firm IMI plc has disclosed a security breach after unknown attackers hacked into the firm's systems.

Curious about the buzz around AI in cybersecurity? Wonder if it's just a shiny new toy in the tech world or a serious game changer? Let's unpack this ......

The FCC has proposed a $4,492,500 fine against VoIP service provider Telnyx for allegedly allowing clients to make robocalls posing as fictitious FC......

Microsoft Identifies 3,000 Leaked ASP.NET Keys Enabling Code Injection Attacks

Microsoft is warning of an insecure practice wherein software developers are incorporating publicly disclosed [website] machine keys from publicly accessible resources, thereby putting their applications in attackers' pathway.

The tech giant's threat intelligence team noted it observed limited activity in December 2024 that involved an unknown threat actor using a publicly available, static [website] machine key to inject malicious code and deliver the Godzilla post-exploitation framework.

It also noted that it has identified over 3,000 publicly disclosed keys that could be used for these types of attacks, which it's calling ViewState code injection attacks.

"Whereas many previously known ViewState code injection attacks used compromised or stolen keys that are often sold on dark web forums, these publicly disclosed keys could pose a higher risk because they are available in multiple code repositories and could have been pushed into development code without modification," Microsoft showcased.

ViewState is a method used in the [website] framework to preserve page and control values between postbacks. This can also include application data that is specific to a page.

"By default, view state data is stored in the page in a hidden field and is encoded using base64 encoding," Microsoft notes in its documentation. "In addition, a hash of the view state data is created from the data by using a machine authentication code (MAC) key. The hash value is added to the encoded view state data and the resulting string is stored in the page."

In using a hash value, the idea is to ensure that the view state data has not been corrupted or tampered with by malicious actors. That stated, if these keys are stolen or made accessible to unauthorized third-parties, it opens the door to a scenario where the threat actor can leverage the keys to send a malicious ViewState request and execute arbitrary code.

"When the request is processed by [website] Runtime on the targeted server, the ViewState is decrypted and validated successfully because the right keys are used," Redmond noted. "The malicious code is then loaded into the worker process memory and executed, providing the threat actor remote code execution capabilities on the target IIS web server."

Microsoft has provided a list of hash values for the publicly disclosed machine keys, urging end-individuals to check them against the machine keys used in their environments. It has also warned that in the event of a successful exploitation of publicly disclosed keys, merely rotating the keys will not be sufficient as the threat actors may have already established persistence on the host.

To mitigate the risk posed by such attacks, it's advised to not copy keys from publicly available insights and to regularly rotate keys. As a further step to deter threat actors, Microsoft stated it removed key artifacts from "limited instances" where they were included in its documentation.

The development comes as cloud security corporation Aqua revealed details of an OPA Gatekeeper bypass that could be exploited to conduct unauthorized actions in Kubernetes environments, including deploying unauthorized container images.

"In the k8sallowedrepos policy, a security risk arises from how the Rego logic is written in the ConstraintTemplate file," researchers Yakir Kadkoda and Assaf Morag expressed in an analysis shared with The Hacker News.

"This risk is further amplified when clients define values in the Constraint YAML file that do not align with how the Rego logic processes them. This mismatch can result in policy bypasses, making the restrictions ineffective."

Threat actors have been observed exploiting in recent times disclosed security flaws in SimpleHelp's Remote Monitoring and Management (RMM) software as a pre......

India's central bank, the Reserve Bank of India (RBI), expressed it's introducing an exclusive.

New mobile apps from the Chinese artificial intelligence (AI) business DeepSeek have remained among the top three “free” downloads for Apple and Google......

Microsoft says attackers use exposed ASP.NET keys to deploy malware

Microsoft warns that attackers are deploying malware in ViewState code injection attacks using static ASP. NET machine keys found online.

As Microsoft Threat Intelligence experts in the recent past discovered, some developers use [website] validationKey and decryptionKey keys (designed to protect ViewState from tampering and information disclosure) found on code documentation and repository platforms in their own software.

ViewState enables [website] Web Forms to control state and preserve user inputs across page reloads. However, if attackers get the machine key designed to protect it from tampering and information disclosure, they can use it in code injection attacks to craft malicious payloads by attaching crafted message authentication code (MAC).

However, threat actors also use machine keys from publicly available findings in code injection attacks to create malicious ViewStates (used by [website] Web Forms to control state and preserve pages) by attaching crafted message authentication code (MAC).

When loading the ViewStates sent via POST requests, the [website] Runtime on the targeted server decrypts and validates the attackers' maliciously crafted ViewState data because it uses the right keys, loads it into the worker process memory, and executes it.

This grants them remote code execution (RCE) on the targeted IIS web servers, allowing them to deploy additional malicious payloads.

In one instance, observed in December 2024, an unattributed attacker used a publicly known machine key to deliver the Godzilla post-exploitation framework, which capabilities malicious command execution and shellcode injection capabilities, to a targeted Internet Information Services (IIS) web server.

ViewState code injection attack chain (Microsoft).

"Microsoft has since identified over 3,000 publicly disclosed keys that could be used for these types of attacks, which are called ViewState code injection attacks," the firm mentioned on Thursday.

"Whereas many previously known ViewState code injection attacks used compromised or stolen keys that are often sold on dark web forums, these publicly disclosed keys could pose a higher risk because they are available in multiple code repositories and could have been pushed into development code without modification."

To block such attacks, Microsoft recommends developers securely generate machine keys, not use default keys or keys found online, encrypt machineKey and connectionStrings elements to block access to plaintext secrets, upgrade apps to use [website] [website] to enable Antimalware Scan Interface (AMSI) capabilities, and harden Windows Servers by using attack surface reduction rules such as Block Webshell creation for Servers.

Microsoft also shared detailed steps for removing or replacing [website] keys in the [website] configuration file using either PowerShell or the IIS manager console and removed key samples from its public documentation to further discourage this insecure practice.

"If successful exploitation of publicly disclosed keys has occurred, rotating machine keys will not sufficiently address possible backdoors or persistence methods established by a threat actor or other post-exploitation activity, and additional investigation may be warranted," Redmond warned.

"In particular, web-facing servers should be fully investigated and strongly considered for re-formatting and re-installation in an offline medium in cases where publicly disclosed keys have been identified, as these servers are most at risk of possible exploitation."

Microsoft is warning of an insecure practice wherein software developers are incorporating publicly disclosed [website] machine keys from publicly acces......

The foundations for social engineering attacks – manipulating humans – might not have changed much over the years. It's the vectors – how these techni......

Microsoft Edge 133 is now rolling out globally, and it ships with several improvements, including a new scareware blocker feature. In addition, Micros......