Security Intelligence
Loading table of contents...
Microsoft has observed threat actors taking advantage of developers who use static ASP.NET machine keys found online to protect software from tampering and information disclosure.
An ASP.NET machine key is a cryptographic key used in ASP.NET applications to encrypt and validate data, ensuring security for critical processes like authentication tokens, view state data, and session state information. It helps protect against tampering and replay attacks by ensuring that encrypted data cannot be modified or forged.
Microsoft has revealed that threat actors are using machine keys found in public sources like code repositories to create malicious ViewStates which are then sent via a POST command to a target server.
Since the machine keys are the same, the ASP.NET Runtime decrypts the malicious ViewState, loads it into memory, and executes it. This allows the threat actor to remotely execute code on the now underlying Microsoft Internet Information Services (IIS) server.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
Microsoft advised that it observed limited activity in December 2024 involving an unknown threat actor using this attack vector to deliver the Godzilla post-exploitation framework.
Previous observed ViewState code injection attacks have used compromised or stolen keys often sold on dark web forums. The newer tactic of using publicly disclosed keys poses a higher risk because Microsoft has identified over 3,000 publicly disclosed keys that could be used for these types of attacks.
Source: Bleeping Computer
Analysis
Using a static ASP.NET machine key found online introduces significant security risks, including authentication bypass, data tampering, and session hijacking. Since the machine key is responsible for signing authentication tokens, an attacker who knows the key can forge valid authentication cookies, potentially impersonating users including administrators.
Another major risk arises in multi-application or shared hosting environments, where multiple systems using the same machine key could enable cross-application session hijacking. If one application is compromised, a threat actor could reuse stolen authentication tokens to access others. In load-balanced environments, where machine keys must be identical across servers to maintain session consistency, using a static or publicly available key effectively breaks security, allowing threat actors to generate valid tokens from anywhere.
Microsoft IIS is one of the most widely deployed web servers. It is particularly dominant in enterprise environments, government agencies, and Windows-based infrastructures due to its tight integration with Windows Server, Active Directory, and .NET applications.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for threats related to code like ASP.NET. Field Effect MDR users are automatically notified if this threat-related activity is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect encourages organizations to refer to Microsoft’s list of hash values for the publicly disclosed machine keys and deploy its tool to verify whether the exposed machine keys are present in their environments.
To help deny this attack vector to threat actors, developers should always generate unique, secure keys instead of relying on static or publicly shared ones. Additionally, machine keys should be stored securely, never hardcoded in public repositories, and rotated regularly to minimize the impact of potential leaks.
