Microsoft cybersecurity experts have pointed out a significant vulnerability flaw that is affecting ASP.NET applications, potentially putting thousands of web servers at risk. The issue stems from developers using publicly available ASP.NET machine keys in their configurations, a practice that hackers are now exploiting to execute ViewState code injection attacks.
In a recent incident that occurred in December 2024, this vulnerability was exploited to deliver Godzilla, a dangerous post-exploitation framework capable of executing commands, injecting shellcode, and maintaining persistent access to compromised servers. Microsoft has issued a warning, stating that over 3,000 publicly disclosed machine keys could be weaponized for similar attacks.
ASP.NET machine keys are essential for protecting web applications by encrypting and validating ViewState data to prevent any tampering by attackers. However, some developers have inadvertently copied these keys from online resources, unknowingly granting hackers the ability to generate and inject malicious ViewState data into their servers.
Once a hacker gains access to the appropriate machine key, they can craft a malicious payload and send it to a vulnerable website. The server, trusting the key, decrypts and executes the attacker’s code, resulting in full remote code execution.
The attack that took place in December 2024 involved an unidentified hacker exploiting a publicly known ASP.NET machine key to deploy Godzilla, a post-exploitation tool that provides remote access to compromised servers. The attack commenced with injection, where the attacker sent a malicious ViewState payload using a leaked machine key.
Upon receiving the payload, the server decrypted and executed the code, unwittingly following the attacker’s instructions. This led to the deployment of Godzilla, triggering the execution of assembly.dll, loading the framework, and enabling further exploitation.
In response to this issue, Microsoft has removed machine key samples from public documentation to deter poor security practices. The company has also introduced new detection alerts through Microsoft Defender for Endpoint to identify any usage of publicly disclosed machine keys.
If a system has been compromised, simply rotating the machine keys may not be sufficient. Microsoft recommends conducting a full forensic investigation, as attackers may have installed backdoors or additional malware.
Tim Mackey, Head of Software Supply Chain Risk Strategy at Black Duck, commented on the situation, emphasizing the importance of replacing sample keys and understanding the risks associated with hardcoded keys in production. He advised developers to use tools to detect and remove hardcoded secrets to improve configuration security.
To safeguard web servers from attacks, it is crucial to replace any publicly available machine keys that were copied from online sources. Additionally, rotating and securing keys by generating new ones and consistently applying them across all servers is essential. Encrypting machine keys in the web.config file can also help prevent exposure.
Monitoring for suspicious activity is paramount, with Microsoft Defender now capable of detecting publicly disclosed ASP.NET machine keys. Enabling attack surface reduction rules can aid in blocking web shell attacks. Upgrading to ASP.NET 4.8, which incorporates Antimalware Scan Interface (AMSI) support, can enhance security measures.
Lastly, conducting a security audit is advised in cases where a machine key has been exposed. Assuming a breach, thorough investigation for unauthorized access is necessary to ensure the security and integrity of web servers.