Microsoft Threat Intelligence recently discovered a concerning trend involving a threat actor utilizing publicly available ASP.NET machine keys to inject malicious code and deploy the Godzilla post-exploitation framework. This backdoor web shell enables intruders to execute commands and manipulate files, posing a significant threat to organizations. After identifying over 3,000 publicly disclosed ASP.NET machine keys, Microsoft Threat Intelligence issued a warning advising against copying keys from public sources and emphasizing the importance of regularly rotating keys to mitigate the risk of attacks.
According to a bulletin released on February 6 by Microsoft Threat Intelligence, the investigation into this activity revealed a troubling practice among developers who utilized publicly disclosed ASP.NET machine keys from code documentation and repositories. These keys were then exploited by threat actors to carry out nefarious actions on vulnerable servers. Unlike previous ViewState code injection attacks that involved compromised or stolen keys sold on dark web forums, the use of publicly disclosed keys presents a heightened risk due to their widespread availability in various code repositories. The bulletin highlighted a limited number of malicious activities observed in December, including the unauthorized injection of malicious code using one publicly disclosed key.
ViewState plays a crucial role in ASP.NET web forms by preserving page and control data between postbacks. This data is stored in a hidden field on the page and encoded for security purposes. To safeguard ViewState against tampering and disclosure, the ASP.NET page framework relies on machine keys. However, when these keys fall into the wrong hands, threat actors can exploit them to create a malicious ViewState and transmit it to a website via a POST request. Once processed by the ASP.NET Runtime on the targeted server, the decrypted ViewState, authenticated with the stolen keys, allows the execution of the injected malicious code within the server’s memory. This grants threat actors remote code execution capabilities on the compromised IIS web server, posing a serious security risk.
In response to these threats, Microsoft Threat Intelligence continues to monitor and assess the use of this attack technique, stressing the importance of proactive security measures to prevent unauthorized access and malicious code injection. Organizations are advised to refrain from using publicly disclosed keys and instead implement proper key rotation practices to minimize the risk of exploitation. By staying vigilant, following recommended security protocols, and adopting a proactive security posture, organizations can better protect their systems and data from evolving cyber threats.