Microsoft has recently issued a notice warning of code injection attacks by an unknown threat actor taking advantage of publicly disclosed ASP.NET machine keys. These are cryptographic keys for encrypting and validating data in ASP.NET applications, playing a vital role in the security of online processes. While these threats in the past have relied largely on compromised and stolen keys posted on dark web forums, attacks using publicly disclosed keys pose a unique threat because they lie in repositories where they can be accessed and embedded into code without editing.
Understanding ViewState and Code Injection Attacks
ViewState, described by Microsoft Threat Intelligence as “the method by which ASP.NET Web Forms preserve page and control state between postbacks,” works by storing data in a hidden field in Base64-encoding. The ASP.NET machine keys are used to validate and decrypt this data in order to protect against ViewState tampering.
Attackers manipulate ViewState by gaining access to the machine keys—whether through theft or by using publicly available repositories—and leveraging them in code injection attacks. They create a malicious ViewState with the stolen decryption keys and send a POST request to the website, which is accepted due to the use of the correct machine keys.
ViewState code injection attacks using publicly available keys present a greater threat than those using stolen or compromised keys, as many developers may be looking to public repositories to help build their code. “Developers frequently turn to public resources and code snippets for ease, but this approach can unintentionally create vulnerabilities, particularly when developing applications or APIs that manage sensitive data and integrate critical systems,” says Eric Schwake, Director of Cybersecurity Strategy at Salt Security, a Palo Alto, Calif.-based provider of API security. These keys are easy for developers to use, but just as easy for bad actors to take advantage of.
Microsoft’s Findings: The Godzilla Framework and Emerging Threats
The code injection attack campaign spotted by Microsoft Threat Intelligence in December 2024 used a publicly available ASP.NET machine key to deliver the Godzilla post-exploitation framework to targets. Microsoft found over 3,000 ASP.NET machine keys publicly available online that could be weaponized in this way. Leveraging the publicly known key to carry out a ViewState code injection attack, the unattributed threat actor deployed malicious code to load Godzilla via reflective DLL loading.
The Godzilla post-exploitation framework features a wide range of functionalities, including the ability to “execute commands, manipulate files, and engage in other harmful and malicious activity on victim systems,” according to a November 2024 analyst note from the U.S. Department of Health and Human Services. As a publicly available and fileless framework/webshell, Godzilla can be deployed with relative ease and grant threat actors a great deal of control over the target system.
How Developers Are Unintentionally Compromising Security
Many developers may be inadvertently leaving the door open for this type of attack by making common mistakes regarding ASP.NET machine keys. While it is quick and convenient to find publicly available keys in code repositories online and insert them into development code, those codes are also available for bad actors to take advantage of. Using default keys for decryption, or ones copied from internet repositories, counteracts the security provided by the encryption of ViewState data.
By using publicly available keys or failing to rotate keys, developers leave applications vulnerable to a wide range of risks. Attackers can tamper with ViewState data to exploit this vulnerability and establish a persistent presence within an organization. This can enable threat actors to compromise systems, steal data, deploy code, elevate their privileges, and more. The breadth of functionality in these attacks puts enterprise applications and cloud environments at great risk. Attackers can obtain unauthorized access to critical systems and sensitive data, endangering entire organizations.
Mitigating the Threat: Best Practices for Securing ASP.NET Machine Keys
Some of the best practices for ensuring the security of ASP.NET machine keys and protecting against ViewState tampering attacks include:
- Properly generating and managing machine keys by using unique and randomly generated keys for each application.
- Preventing accidental exposure in public repositories by avoiding these repositories and deploying tools to detect any keys that are available publicly online.
- Implementing cryptographic best practices for ViewState security such as key management, regular key rotation, and the principle of least privilege.
- Encrypting sensitive information at deployment, such as critical web.config elements, to prevent threat actors from gaining access to them.
- Keeping all applications up to date to patch any vulnerabilities and take advantage of potential security improvements in newer software versions.
The Need for Vigilance in Secure Development Practices
The code injection attacks observed by Microsoft Threat Intelligence are representative of a significant threat to organization security, emphasizing the importance of developers exercising security awareness. Cybersecurity should be built into the code of applications and reinforced at every level, providing a layered defense against these attacks. Organizations must take steps to proactively prevent these attacks by ensuring secure keys and best practices.
As an invaluable open-source project with ongoing development and scalability, ASP.NET will continue to evolve, incorporating technologies like AI/ML and progressive web applications (PWAs) to improve performance and security. The threat landscape for ASP.NET, already rather diverse, will evolve along with it as cybercriminals find innovative ways to manipulate the framework for their gain and evade security measures.
