Hackers Exploit 3,000 ASP.NET Machine Keys to Hack IIS Web Servers Remotely

Microsoft has raised alarms about a new cyber threat involving ViewState code injection attacks exploiting publicly disclosed ASP.NET machine keys to compromise ISS web servers.

Microsoft has identified over 3,000 publicly disclosed keys vulnerable to ViewState code injection attacks.

Unlike stolen keys sold on dark web forums, these keys are openly available in code repositories, increasing the risk of exploitation in development environments.

During the investigation, Microsoft found that developers used publicly disclosed ASP.NET machine keys from open sources, allowing threat actors to exploit them for attacks on target servers.

The company’s Threat Intelligence team observed limited activity in December 2024 by an unidentified threat actor using these keys to deliver the Godzilla post-exploitation framework.

“If successful exploitation of publicly disclosed keys has occurred, rotating machine keys will not sufficiently address possible backdoors or persistence methods established by a threat actor or other post-exploitation activity, and additional investigation may be warranted.” Microsoft stated“

How the Attack Works

ViewState is a mechanism in ASP.NET Web Forms that preserves page and control state between postback.

To secure this data, machine keys ValidationKey and DecryptionKey are used for encryption and validation.

However, if these keys are exposed, malicious actors can craft harmful ViewState payloads that bypass security checks on targeted servers.

In the December attack, a publicly disclosed machine key was used to inject malicious code via a POST request.

This payload loaded the Godzilla framework, enabling the attacker to execute commands, inject shellcode, and perform other malicious activities on the compromised IIS web server.

ViewState code injection attack chain leading to Godzilla.

Microsoft identified over 3,000 publicly disclosed ASP.NET machine keys available in code repositories and documentation.

Unlike stolen or sold keys often traded on dark web forums, these publicly accessible keys pose a unique risk as developers might unknowingly incorporate them into their applications.

For organizations using Microsoft Defender for Endpoint, alerts like “Publicly disclosed ASP.NET machine key” can identify potential vulnerabilities.

Additionally, Microsoft has provided scripts and hash values to help users detect and address exposed keys.

If exploitation has occurred, rotating keys alone may not suffice. Organizations are advised to conduct thorough investigations for potential backdoors or persistence mechanisms established by attackers.

In severe cases, reformatting and reinstalling compromised servers offline may be necessary.

Microsoft has identified indicators linked to this attack, including the SHA-256 hash value: (19d87910d1a7ad9632161fd9dd6a54c8a059a64fc5f5a41cf5055cd37ec0499d).

Users are encouraged to compare their environment’s machine keys against Microsoft’s list of disclosed hashes.

Recommendations for Mitigation

To counter this threat, Microsoft has issued several recommendations:

Do Not Use Publicly Disclosed Keys: Organizations should avoid copying machine keys from public resources.
Key Rotation: Regularly rotate machine keys across all servers in a web farm or revert to auto-generated keys for single-server setups.
Secure Key Storage: Encrypt sensitive information like machineKey elements in configuration files to prevent unauthorized access.
Upgrade Frameworks: Use ASP.NET 4.8 to enable Antimalware Scan Interface (AMSI) capabilities.
Harden Servers: Employ attack surface reduction rules such as blocking web shell creation.

Equip your team with real-time threat analysis With ANY.RUN’s interactive cloud sandbox -> Try 14-day free trial

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.