The Article Tells The Story of:
- Attackers exploit exposed ASP.NET machine keys to deploy malware via ViewState code injection attacks.
- Publicly available keys allow remote code execution on IIS servers, leading to severe security risks.
- Microsoft has identified over 3,000 vulnerable keys and warns developers to secure machine keys.
- Microsoft advises strict security measures, including key rotation, app upgrades, and server hardening.
Hackers Use Exposed ASP.NET Keys to Deploy Malware
Microsoft has issued a warning about attackers exploiting exposed ASP.NET machine keys to carry out malware attacks. These keys, which developers sometimes copy from public code documentation and repositories, are critical for protecting ViewState—a mechanism in ASP.NET Web Forms that maintains user inputs across page reloads. When these keys fall into the wrong hands, attackers can manipulate ViewState, injecting malicious code that the ASP.NET Runtime processes as legitimate.
How Attackers Gain Control of Servers
Once attackers obtain the machine key, they can craft malicious ViewState data with a forged message authentication code (MAC). When this data is sent via POST requests, the targeted server decrypts and validates it, unknowingly executing the malicious payload. This process grants attackers remote code execution (RCE) on the server, allowing them to deploy more malware.
In December 2024, an attacker used a publicly known machine key to infect an Internet Information Services (IIS) web server with the Godzilla post-exploitation framework. This malware enables malicious command execution and shellcode injection, significantly compromising the server’s security.
Over 3,000 Public Keys Identified
Microsoft’s investigation revealed over 3,000 publicly available machine keys that could be exploited in these ViewState code injection attacks. Unlike previous attacks that relied on stolen or compromised keys sold on dark web forums, these publicly disclosed keys are readily accessible in multiple online code repositories. This increases the risk of unintentional use in development code, making servers more vulnerable.
How Developers Can Protect Their Servers
To defend against these attacks, Microsoft recommends several security measures:
- Secure Key Generation: Always generate unique machine keys securely. Avoid using default keys or keys found online.
- Encrypt Configuration Files: Encrypt the
machineKeyandconnectionStringselements in the web.config file to prevent unauthorized access to plaintext secrets. - Upgrade to ASP.NET 4.8: This version supports Antimalware Scan Interface (AMSI) capabilities, adding an extra layer of protection.
- Harden Windows Servers: Use attack surface reduction rules, such as blocking webshell creation on servers, to limit vulnerabilities.
Microsoft has also provided detailed instructions for removing or replacing ASP.NET keys using PowerShell or the IIS manager console. To further discourage insecure practices, key samples have been removed from public documentation.
What to Do If Your Server Is Compromised
If a server has been compromised using publicly disclosed keys, simply rotating the machine keys is not enough. Microsoft warns that attackers may have already established backdoors or other persistence methods. In such cases, thorough investigations are necessary. For web-facing servers, Microsoft strongly recommends reformatting and reinstalling them offline to eliminate any hidden threats.
This new wave of attacks highlights the critical importance of secure coding practices and regular security audits. Developers must remain vigilant and proactive to protect their applications and servers from these growing threats.
Related:
- judge finds NSO Group liable for hacking WhatsApp. Published on December 22, 2024 SquaredTech
- Chinese Hackers Exploit U.S. Telecom Backdoor Law – How Safe Is Your Data? Published on October 8, 2024 SquaredTech
- Crypto Scammers Hack OpenAI’s X Account: What You Need to Know Published on September 29, 2024 SquaredTech
Stay Updated: Tech News
