Cybercrime
,
Fraud Management & Cybercrime
,
Next-Generation Technologies & Secure Development
3,000 Exposed ASP.NET Keys Put Web Applications at Risk of Code Injection Attacks
Threat actors are using exposed cryptographic keys to manipulate authentication tokens, decrypt protected information, and insert harmful code into susceptible web servers, creating the potential for hackers to seize unauthorized control and ensure long-term access.
See Also: 57 Tips to Secure Your Organization
Microsoft’s threat intelligence team observed activity from December 2024 involving an unidentified threat actor using a publicly available, static ASP.NET machine key to inject malicious code. The attackers leveraged this weakness to deploy the Godzilla post-exploitation framework, potentially enabling persistent access and further compromise of targeted systems.
Microsoft reported discovering over 3,000 publicly disclosed keys that could facilitate attacks, which it refers to as ViewState code injection attacks.
Previous attacks relied on stolen or compromised keys traded in underground forums. Microsoft warns that publicly disclosed keys may pose an even greater risk since they are widely accessible in various code repositories and could have been directly integrated into development projects without any alterations.
Microsoft in December 2024 detected an unknown threat actor injecting a malicious ViewState payload that reflectively loaded Godzilla, enabling the hacker to execute commands, inject shellcode and perform other post-exploitation activities.
ViewState is a feature in ASP.NET Web Forms that maintains the state of web pages between user interactions. It relies on machine keys, ValidationKey and DecryptionKey, to prevent tampering and data leaks. If attackers obtain these keys, they can craft malicious ViewState data and send it to the targeted web application. When processed, the injected code executes on the web server, granting attackers control over the system.
Microsoft recommends developers avoid using machine keys copied from public sources and rotate keys regularly to mitigate risks. The company also removed key samples from its documentation and provided a script for security teams to identify and replace publicly disclosed keys in their environments.
Microsoft Defender for Endpoint also includes an alert for publicly exposed ASP.NET machine keys, though the alert itself does not indicate an active attack. Organizations running ASP.NET applications, especially those deployed in web farms, are urged to replace fixed machine keys with auto-generated values stored in the system registry.
If a web-facing server has been compromised, rotating the machine keys alone may not eliminate persistent threats. Microsoft said recommends conducting a full forensic investigation to detect potential backdoors or unauthorized access points.
In high-risk cases, security teams should consider reformatting and reinstalling affected systems to prevent further exploitation, the report said.
Organizations should also implement best practices such as encrypting sensitive configuration files, following secure DevOps procedures and upgrading applications to ASP.NET 4.8. Microsoft advised enabling Antimalware Scan Interface capabilities and attack surface reduction rules to block web shell creation on Windows Servers.