Exploitation of Leaked Machine Keys by Initial Access Broker

SUMMARY :

An initial access broker exploited leaked Machine Keys on ASP.NET sites to gain unauthorized access to organizations. The group, tracked as TGR-CRI-0045, targeted industries in Europe and the U.S. including finance, manufacturing, and technology. They used ASP.NET View State deserialization to execute malicious payloads in server memory, minimizing forensic artifacts. The attackers deployed post-exploitation tools for persistence and privilege escalation. The campaign began in October 2024, with increased activity from January to March 2025. Organizations are advised to review and remediate compromised Machine Keys following Microsoft's guidance. The threat group is possibly linked to Gold Melody based on overlapping indicators and tactics.

OPENCTI LABELS :

in-memory execution,privilege escalation,post-exploitation,iis,initial access broker,asp.net,machine keys,updf,view state deserialization,txportmap


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Exploitation of Leaked Machine Keys by Initial Access Broker