Ddos 
ViewState code injection attack chain leading to Godzilla | Source: Microsoft
Microsoft Threat Intelligence has reported a concerning trend: attackers are exploiting publicly disclosed ASP.NET machine keys to inject malicious code into web applications. This insecure practice, where developers incorporate static keys found in online resources, leaves systems vulnerable to ViewState code injection attacks.
ViewState, a mechanism used by ASP.NET Web Forms to preserve page and control state, relies on machine keys for protection against tampering. However, if these keys are exposed, attackers can craft malicious ViewState requests, leading to remote code execution on the server.
“If these keys are stolen or made accessible to threat actors, these threat actors can craft a malicious ViewState using the stolen keys and send it to the website via a POST request.“, Microsoft explains. “When the request is processed by ASP.NET Runtime on the targeted server, the ViewState is decrypted and validated successfully because the right keys are used. The malicious code is then loaded into the worker process memory and executed, providing the threat actor remote code execution capabilities on the target IIS web server.”
In December 2024, Microsoft observed an unattributed threat actor using a publicly known machine key to deliver the Godzilla post-exploitation framework. This framework provides attackers with a range of capabilities, including executing commands, injecting shellcode, and more.
The report highlights the danger of using static machine keys found in public sources such as code documentation and repositories. Microsoft has identified over 3,000 such keys that could be used in these attacks. Unlike compromised keys sold on the dark web, these publicly disclosed keys are readily available and may be unknowingly incorporated into development code.
To mitigate this risk, Microsoft recommends that organizations:
- Avoid using publicly disclosed keys: Generate unique keys and store them securely.
- Regularly rotate keys: This limits the impact of a compromised key.
- Monitor configuration files: Detect unauthorized changes to machine keys.
Microsoft Defender for Endpoint can help detect publicly disclosed keys, and Microsoft has taken steps to remove key samples from its own public documentation.
Donate