[German]In December 2024, the Microsoft Threat Intelligence team observed limited activity from an unknown attacker using a publicly available, static ASP. NET machine key to inject malicious code and deploy the Godzilla post-exploitation framework.
Advertising
This was made public by Microsoft recently in the Security Blog in the article Code injection attacks using publicly disclosed ASP.NET machine keys öffentlich gemacht.
In the course of investigating, remediating and creating safeguards against this activity, Microsoft experts discovered that developers were using various publicly disclosed ASP.NET machine keys from publicly available resources, such as code documentation and repositories, in their software. The attackers then used these publicly known ASP.NET machine keys to perform malicious actions on target servers.
According to the article, Microsoft has now identified more than 3,000 publicly disclosed keys that could be used for this type of attack. This type of attack is known as ViewState code injection. While many previously known ViewState code injection attacks have used compromised or stolen keys, which are often sold on dark web forums, these publicly disclosed keys pose a higher risk, Microsoft writes, as they are available in multiple code repositories and could have been inserted into development code without modification.
Microsoft recommends that companies do not copy and use keys from publicly accessible sources and that they exchange the keys regularly. According to Microsoft, Microsoft Defender for Endpoint can help to reduce this risk. This is because Microsoft Defender for Endpoint recognizes publicly accessible keys in the code. To prevent this practice, Microsoft has probably also removed key samples from some public documentation.
Advertising
More details on the ViewState code injection attack and the campaign to spread the Godzilla post-exploit framework can be found in the Microsoft articl Code injection attacks using publicly disclosed ASP.NET machine keys.
Advertising
