News
Microsoft Warns of ViewState Code Injection Attacks Using Publicly Disclosed Machine Keys
Microsoft Threat Intelligence has identified a limited attack campaign leveraging publicly available ASP.NET machine keys to conduct ViewState code injection attacks.
The attacks, first observed late last year, involved an unknown attacker using a static ASP.NET machine key to inject malicious code and deploy the Godzilla post-exploitation framework, which allows attackers to execute commands and inject shellcode on compromised servers.
ViewState is a mechanism in ASP.NET Web Forms that preserves page state between user interactions. It relies on machine keys -- ValidationKey and DecryptionKey -- to ensure security. However, Microsoft’s investigation revealed that more than 3,000 machine keys have been publicly disclosed through repositories and other online sources.
Once in the hands of attackers, these keys can do real damage to a targeted system. Per Microsoft Threat Intelligence:
If these keys are stolen or made accessible to threat actors, these threat actors cancraft a malicious ViewState using the stolen keys and send it to the website via a POST request. When the request is processed by ASP.NET Runtime on the targeted server, the ViewState is decrypted and validated successfully because the right keys are used. The malicious code is then loaded into the worker process memory and executed, providing the threat actor remote code execution capabilities on the target IIS web server.
The recent attack used a known public machine key to execute malicious ViewState payloads, leading to the deployment of the Godzilla framework, a post-exploitation tool that can execute arbitrary commands, inject shellcode and maintain presence on an exploited server.
Shortly after the attacks in December were identified, Microsoft, in its own "removed key samples from limited instances" from their own documentation and updated Microsoft Defender for Endpoint to help organizations to identify any publicly disclosed keys floating in their environments.
To assist in identifying any possible compromised keys that may be in your environment, Microsoft has provided a list of hash values associated with the Godzilla incident here.
If any publicly disclosed keys are identified, Microsoft has a list of recommendations to address them, including:
- Avoid using publicly available machine keys from online repositories or documentation.
- Regularly rotate ASP.NET machine keys to prevent unauthorized reuse.
- Remove fixed machine keys from web.config files and rely on auto-generated values where possible.
- Enable Antimalware Scan Interface (AMSI) by upgrading applications to ASP.NET 4.8.
- Harden Windows Servers with attack surface reduction rules, such as blocking Web shell creation.