Microsoft is warning of an insecure practice wherein software developers are incorporating publicly disclosed ASP.NET machine keys from publicly accessible resources, thereby putting their applications in attackers’ pathway.
The tech giant’s threat intelligence team said it observed limited activity in December 2024 that involved an unknown threat actor using a publicly available, static ASP.NET machine key to inject malicious code and deliver the Godzilla post-exploitation framework.
It also noted that it has identified over 3,000 publicly disclosed keys that could be used for these types of attacks, which it’s calling ViewState code injection attacks.
“Whereas many previously known ViewState code injection attacks used compromised or stolen keys that are often sold on dark web forums, these publicly disclosed keys could pose a higher risk because they are available in multiple code repositories and could have been pushed into development code without modification,” Microsoft said.
ViewState is a method used in the ASP.NET framework to preserve page and control values between postbacks. This can also include application data that is specific to a page.
“By default, view state data is stored in the page in a hidden field and is encoded using base64 encoding,” Microsoft notes in its documentation. “In addition, a hash of the view state data is created from the data by using a machine authentication code (MAC) key. The hash value is added to the encoded view state data and the resulting string is stored in the page.”
In using a hash value, the idea is to ensure that the view state data has not been corrupted or tampered with by malicious actors. That said, if these keys are stolen or made accessible to unauthorized third-parties, it opens the door to a scenario where the threat actor can leverage the keys to send a malicious ViewState request and execute arbitrary code.
“When the request is processed by ASP.NET Runtime on the targeted server, the ViewState is decrypted and validated successfully because the right keys are used,” Redmond noted. “The malicious code is then loaded into the worker process memory and executed, providing the threat actor remote code execution capabilities on the target IIS web server.”
Microsoft has provided a list of hash values for the publicly disclosed machine keys, urging customers to check them against the machine keys used in their environments. It has also warned that in the event of a successful exploitation of publicly disclosed keys, merely rotating the keys will not be sufficient as the threat actors may have already established persistence on the host.
To mitigate the risk posed by such attacks, it’s advised to not copy keys from publicly available sources and to regularly rotate keys. As a further step to deter threat actors, Microsoft said it removed key artifacts from “limited instances” where they were included in its documentation.
The development comes as cloud security company Aqua revealed details of an OPA Gatekeeper bypass that could be exploited to conduct unauthorized actions in Kubernetes environments, including deploying unauthorized container images.
“In the k8sallowedrepos policy, a security risk arises from how the Rego logic is written in the ConstraintTemplate file,” researchers Yakir Kadkoda and Assaf Morag said in an analysis shared with The Hacker News.
“This risk is further amplified when users define values in the Constraint YAML file that do not align with how the Rego logic processes them. This mismatch can result in policy bypasses, making the restrictions ineffective.”
