Key Takeaways:
- Threat actors are using publicly disclosed ASP.NET machine keys to execute ViewState code injection attack.
- Over 3,000 machine keys have been found publicly available on code repositories and online sources.
- Microsoft advises organizations to avoid using static machine keys from online sources.
Microsoft has disclosed that threat actors are exploiting publicly exposed ASP.NET machine keys to execute ViewState code injection attacks. The company warns that web developers are inadvertently putting their organizations at risk by using these keys from online repositories and documentation in their applications.
In December, Microsoft first observed the attacks that involved an unknown attacker who used a static ASP.NET machine key to deploy the Godzilla post-exploitation framework. This tool is used by cybercriminals to perform malicious activities after gaining initial access to a system.
How does the ViewState code injection attack work?
The attackers exploit ViewState if they manage to obtain the ASP.NET machine keys. ViewState is a method that is used by ASP.NET to preserve the state of a webpage between postbacks. The hackers can leverage these ASP.NET keys to create a ViewState that contains malicious code. This specially crafted ViewState can then be sent to the server through a POST request.
When the server processes the malicious ViewState, it runs the embedded code, giving hackers control over the system. This can result in unauthorized access, data theft, or further exploitation of the targeted IIS web server.
“Once it’s processed by ASP.NET Runtime on the targeted server, the ViewState is decrypted and validated successfully because the right keys are used,” the Microsoft Threat Intelligence team explained. “The malicious code is then loaded into the worker process memory and executed, providing the threat actor remote code execution capabilities on the target IIS Web server.”
Microsoft has found over 3,000 machine keys publicly available across code repositories and other online sources. Cybercriminals can exploit these keys to launch code injection attacks and compromise web applications.
Furthermore, Microsoft discovered that some of these keys were mistakenly included in its own public documentation and has since removed them to prevent misuse. The company also updated its Defender for Endpoint tool to help organizations detect and eliminate exposed keys within their environments.
How to protect your organization?
To prevent attacks, Microsoft advises enterprise customers to avoid using machine keys from online repositories or documentation. Moreover, administrators should regularly rotate keys to reduce the risk of unauthorized access. Microsoft says that fixed machine keys should also be removed from web.config files and replaced with auto-generated values.
Lastly, organizations must upgrade applications to ASP.NET 4.8 to enable Antimalware Scan Interface (AMSI). It’s a Windows feature that allows apps and services to integrate with antimalware products to scan for malicious content. Administrators can also configure attack surface reduction rules (like blocking Web shell creation) to boost the security of Windows Servers.