Article
Threat Advisory: Code Injection Attack Targeting ASP.NET Applications
Description ASP.NET Web Forms utilize ViewState to maintain page state between postbacks. ViewState data, stored as a hidden field, relies on machine keys (Validation Key and Decryption Key) for security. If these keys are compromised, threat actors can craft malicious ViewState payloads, bypass validation, and execute unauthorized code within the target server environment. Recent Exploitation: Godzilla Post-Exploitation Framework In December 2024, an unattributed threat actor leveraged a publicly disclosed machine key to execute a ViewState code injection attack. This attack loaded Godzilla, a post-exploitation framework capable of executing malicious commands, injecting shellcodes, and gaining control over affected systems. Impact Remote Code Execution (RCE): Attackers can gain control over affected servers. Data Compromise: Unauthorized access to sensitive information. Persistent Threats: Attackers can maintain long-term access. Recommendations Below are the strong recommendations to prevent exploitation: 1. Identify Publicly Disclosed Machine Keys Use Defender for Detection: Microsoft Defender for Endpoint can detect publicly disclosed machine keys. Check GitHub Repository: Review compromised keys listed in Microsoft’s GitHub repository. 2. Rotate and Secure Machine Keys For Web Farms: Rotate machine keys across all servers using IIS Manager or PowerShell. For Single Server Deployments: Remove the element from web.config to revert to system-generated secure keys. 3. Secure SharePoint and Exchange Servers Follow SharePoint Key Management: SharePoint has a built-in key management system, so follow Microsoft’s key rotation procedures. Review Exchange Security: Ensure Exchange web applications are protected against machine key exposure. 4. Use IIS Manager for Key Rotation Access IIS Manager: Navigate to the affected website/application in IIS Manager. Generate New Keys: Select Machine Key settings and click Generate Keys. Apply Changes: Apply the new values or enable Automatically generate at runtime to enforce system-generated keys. References Code injection attacks using publicly disclosed ASP.NET machine keys For further assistance, contact us at info@accorian.com or schedule an appointment via our Calendly link. Threat Advisory Team Accorian
View More