In a significant cybersecurity development, Microsoft has revealed that over 3,000 publicly disclosed ASP.NET machine keys have been exploited by threat actors to compromise Internet Information Services (IIS) web servers.
These attacks leverage ViewState code injection techniques, enabling remote code execution and the deployment of malicious payloads, including the powerful Godzilla post-exploitation framework.
Exploiting a Common Development Misstep
The vulnerability stems from developers incorporating static ASP.NET machine keys originally intended for securing ViewState data from publicly accessible sources such as code repositories or documentation.
Unlike stolen keys traded on dark web forums, these publicly available keys pose a unique risk as they are often unknowingly embedded into production environments.
ViewState is a mechanism in ASP.NET Web Forms that preserves page and control states between postbacks.
To secure this data, machine keys (ValidationKey and DecryptionKey) are used for encryption and validation.
If these keys are exposed, attackers can craft malicious ViewState payloads that bypass security checks on targeted servers.
When the payload is processed by the ASP.NET runtime, it is decrypted and validated using the exposed keys, allowing the malicious code to execute within the server’s memory.
Godzilla Framework Deployment
Microsoft Threat Intelligence observed limited exploitation of this vulnerability in December 2024.
An unattributed threat actor used a publicly disclosed machine key to inject malicious ViewState payloads via POST requests.
This attack reflectively loaded a DLL associated with the Godzilla framework, enabling remote command execution, shellcode injection, and other malicious activities on the compromised IIS server.
The Godzilla framework is particularly dangerous due to its modular design and capabilities for persistence and lateral movement within compromised networks.
The attack underscores the criticality of securing machine keys and avoiding their reuse from public sources.
Microsoft has emphasized the importance of securing ASP.NET machine keys to prevent similar attacks.
Key recommendations include:
- Avoid Publicly Available Keys: Developers should refrain from copying machine keys from public resources.
- Regular Key Rotation: Organizations should periodically rotate machine keys to mitigate potential risks.
- Enhanced Monitoring: Use tools like Microsoft Defender for Endpoint to detect exposed machine keys and monitor configuration files for unauthorized changes.
- Thorough Investigations: If exploitation is suspected, rotating keys alone may not suffice. Organizations should investigate for potential backdoors or persistence mechanisms established by attackers.
Additionally, Microsoft has removed key samples from its own documentation to discourage insecure practices and provided scripts for identifying exposed keys in enterprise environments.
This incident highlights the risks associated with poor key management practices in software development.
Publicly disclosed cryptographic material can be weaponized by attackers to exploit vulnerabilities in widely used platforms like IIS.
Organizations must adopt secure DevOps practices and ensure sensitive information like machine keys is encrypted during deployment.
As attackers increasingly target misconfigurations and insecure development practices, proactive measures are essential to safeguard critical infrastructure from exploitation.
