Source URL: https://www.microsoft.com/en-us/security/blog/2025/02/06/code-injection-attacks-using-publicly-disclosed-asp-net-machine-keys/
Source: Microsoft Security Blog
Title: Code injection attacks using publicly disclosed ASP.NET machine keys
Feedly Summary: Microsoft Threat Intelligence observed limited activity by an unattributed threat actor using a publicly available, static ASP.NET machine key to inject malicious code and deliver the Godzilla post-exploitation framework. In the course of investigating, remediating, and building protections against this activity, we observed an insecure practice whereby developers have incorporated various publicly disclosed ASP.NET machine keys from publicly accessible resources, such as code documentation and repositories, which threat actors have used to launch ViewState code injection attacks and perform malicious actions on target servers.
The post Code injection attacks using publicly disclosed ASP.NET machine keys appeared first on Microsoft Security Blog.
AI Summary and Description: Yes
Summary: The text provides an in-depth analysis of recent ViewState code injection attacks leveraging publicly disclosed ASP.NET machine keys, emphasizing the security risks associated with these practices. Key recommendations are offered for securing machine keys and monitoring for vulnerabilities, particularly relevant for infrastructure and application security professionals.
Detailed Description: The document summarizes the findings from Microsoft’s Threat Intelligence regarding the exploitation of publicly available ASP.NET machine keys leading to serious security vulnerabilities. Key points include:
– **Nature of the Threat**:
– An unattributed threat actor used a publicly available static ASP.NET machine key to inject malicious code and deliver the Godzilla post-exploitation framework.
– Microsoft identified over 3,000 publicly disclosed keys that could facilitate ViewState code injection attacks, highlighting the risks of keys acquired from public resources.
– **Explanation of ViewState Code Injection Attacks**:
– ViewState is a mechanism in ASP.NET for preserving page state, secured by machine keys: ValidationKey (used for message authentication) and DecryptionKey (used for encrypting ViewState).
– The exploitation occurs when these keys are either stolen or publicly disclosed, enabling attackers to craft malicious ViewState payloads and gain remote code execution capabilities.
– **Incident Specifics**:
– The attack observed in December 2024 involved a malicious payload designed to execute commands, leveraging the Godzilla framework.
– **Recommendations for Organizations**:
– Do not use publicly available keys and ensure regular rotation of machine keys.
– Use Microsoft Defender for Endpoint to detect the presence of publicly disclosed keys.
– Remove fixed keys from configuration as suggested to revert to auto-generated keys.
– Implement best practices for securing machine keys including using encrypted configurations for sensitive values.
– **Microsoft Defender Tools & Alerts**:
– Use alerts like “Publicly disclosed ASP.NET machine key” to monitor environments and dynamically check for potential exposure.
– Implement auditing of ASP.NET configuration files to track access and changes, enabling proactive identification of unauthorized access attempts.
– **Best Practices and Tool Utilization**:
– Follow secure DevOps standards during key generation and implementation processes.
– Apply Microsoft security solutions such as Sentinel for analytics and hunting queries against malicious indicators linked to key exposure.
This comprehensive overview emphasizes the urgent need for security measures in handling ASP.NET machine keys, providing structured recommendations and leveraging Microsoft tools for ongoing monitoring and incident response. The insights are critical for professionals looking to bolster the security of web applications against code injection vulnerabilities.