Microsoft Threat Intelligence in December noticed a “threat actor” utilizing a publicly obtainable ASP.NET machine key to inject malicious code and fetch the Godzilla post-exploitation framework, a “backdoor” net shell utilized by intruders to execute instructions and manipulate information. The firm then recognized greater than 3,000 publicly disclosed ASP.NET machine keys—i.e., keys that had been disclosed in code documentation and repositories—that could possibly be utilized in some of these assaults, referred to as ViewState code injection assaults.
In response, Microsoft Threat Intelligence is warning organizations to not copy keys from publicly obtainable sources and urging them to frequently rotate keys. In a February 6 bulletin, Microsoft Threat Intelligence mentioned that in investigating and defending in opposition to this exercise, it has noticed an insecure follow whereby builders used publicly disclosed ASP.NET machine keys from code documentation, repositories, and different public sources that had been then utilized by menace actors to carry out malicious actions on the right track servers. While many beforehand recognized ViewState code injection assaults used compromised or stolen keys that had been bought on darkish net boards, these publicly disclosed keys might pose the next threat as a result of they’re obtainable in a number of code repositories and will have been pushed into growth code with out modification, Microsoft mentioned. The restricted malicious exercise Microsoft noticed in December included using one publicly disclosed key to inject malicious code. Microsoft Threat Intelligence continues to watch the extra use of this assault method, Microsoft mentioned.
ViewState is the strategy by which ASP.NET net varieties protect web page and management between postbacks, Microsoft Threat Intelligence mentioned. Data for ViewState is saved in a hidden area on the web page and is encoded. To defend ViewState in opposition to tampering and disclosure, the ASP.NET web page framework makes use of machine keys. “If these keys are stolen or made accessible to menace actors, these menace actors can craft a malicious ViewState utilizing the stolen keys and ship it to the web site through a POST request,” Microsoft Threat Intelligence mentioned within the bulletin. “When the request is processed by ASP.NET Runtime on the focused server, the ViewState is decrypted and validated efficiently as a result of the suitable keys are used. The malicious code is then loaded into the employee course of reminiscence and executed, offering the menace actor distant code execution capabilities on…
