Microsoft Threat Intelligence in December observed a “threat actor” using a publicly available ASP.NET machine key to inject malicious code and fetch the Godzilla post-exploitation framework, a “backdoor” web shell used by intruders to execute commands and manipulate files. The company then identified more than 3,000 publicly disclosed ASP.NET machine keys—i.e., keys that were disclosed in code documentation and repositories—that could be used in these types of attacks, called ViewState code injection attacks.
In response, Microsoft Threat Intelligence is warning organizations not to copy keys from publicly available sources and urging them to regularly rotate keys. In a February 6 bulletin, Microsoft Threat Intelligence said that in investigating and protecting against this activity, it has observed an insecure practice whereby developers used publicly disclosed ASP.NET machine keys from code documentation, repositories, and other public sources that were then used by threat actors to perform malicious actions on target servers. While many previously known ViewState code injection attacks used compromised or stolen keys that were sold on dark web forums, these publicly disclosed keys could pose a higher risk because they are available in multiple code repositories and could have been pushed into development code without modification, Microsoft said. The limited malicious activity Microsoft observed in December included the use of one publicly disclosed key to inject malicious code. Microsoft Threat Intelligence continues to monitor the additional use of this attack technique, Microsoft said.
ViewState is the method by which ASP.NET web forms preserve page and control between postbacks, Microsoft Threat Intelligence said. Data for ViewState is stored in a hidden field on the page and is encoded. To protect ViewState against tampering and disclosure, the ASP.NET page framework uses machine keys. “If these keys are stolen or made accessible to threat actors, these threat actors can craft a malicious ViewState using the stolen keys and send it to the website via a POST request,” Microsoft Threat Intelligence said in the bulletin. “When the request is processed by ASP.NET Runtime on the targeted server, the ViewState is decrypted and validated successfully because the right keys are used. The malicious code is then loaded into the worker process memory and executed, providing the threat actor remote code execution capabilities on the target IIS web server.”