Microsoft says attackers use exposed ASP.NET keys to deploy malware – BleepingComputer
Microsoft says attackers use exposed ASP.NET keys to deploy malwareMicrosoft Edge update adds AI-powered Scareware BlockerCritical RCE bug in Microsoft Outlook now exploited in attacksKimsuky hackers use new custom RDP Wrapper for remote accessMassive brute force attack uses 2.8 million IPs to target VPN devicesTurn your phone into a powerful scanner for just $41.99 with this SwiftScan dealHPE notifies employees of data breach after Russian Office 365 hackHackers exploit Cityworks RCE bug to breach Microsoft IIS serversHow to access the Dark Web using the Tor BrowserHow to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11How to use the Windows Registry EditorHow to backup and restore the Windows RegistryHow to start Windows in Safe ModeHow to remove a Trojan, Virus, Worm, or other MalwareHow to show hidden files in Windows 7How to see hidden files in WindowsRemove the Theonlinesearch.com Search RedirectRemove the Smartwebfinder.com Search RedirectHow to remove the PBlock+ adware browser extensionRemove the Toksearches.xyz Search RedirectRemove Security Tool and SecurityTool (Uninstall Guide)How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundoHow to remove Antivirus 2009 (Uninstall Instructions)How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKillerLocky Ransomware Information, Help Guide, and FAQCryptoLocker Ransomware Information Guide and FAQCryptorBit and HowDecrypt Information Guide and FAQCryptoDefense and How_Decrypt Ransomware Information Guide and FAQQualys BrowserCheckSTOPDecrypterAuroraDecrypterFilesLockerDecrypterAdwCleanerComboFixRKillJunkware Removal TooleLearningIT Certification CoursesGear + GadgetsSecurityBest VPNsHow to change IP addressAccess the dark web safelyBest VPN for YouTubeMicrosoft warns that attackers are deploying malware in ViewState code injection attacks using static ASP. NET machine keys found online.As Microsoft Threat Intelligence experts recently discovered, some developers use ASP.NET validationKey and decryptionKey keys (designed to protect ViewState from tampering and information disclosure) found on code documentation and repository platforms in their own software.ViewState enables ASP.NET Web Forms to control state and preserve user inputs across page reloads. However, if attackers get the machine key designed to protect it from tampering and information disclosure, they can use it in code injection attacks to craft malicious payloads by attaching crafted message authentication code (MAC).However, threat actors also use machine keys from publicly available sources in code injection attacks to create malicious ViewStates (used by ASP.NET Web Forms to control state and preserve pages) by attaching crafted message authentication code (MAC).When loading the ViewStates sent via POST requests, the ASP.NET Runtime on the targeted server decrypts and validates the attackers’ maliciously crafted ViewState data because it uses the right keys, loads it into the worker process memory, and executes it.This grants them remote code execution (RCE) on the targeted IIS web servers, allowing them to deploy additional malicious payloads.In one instance, observed in December 2024, an unattributed attacker used a publicly known machine key to deliver the Godzilla post-exploitation framework, which features malicious command execution and shellcode injection capabilities, to a targeted Internet Information Services (IIS) web server.”Microsoft has since identified over 3,000 publicly disclosed keys that could be used for these types of attacks, which are called ViewState code injection attacks,” the company said on Thursday.”Whereas many previously known ViewState code injection attacks used compromised or stolen keys that are often sold on dark web forums, these publicly disclosed keys could pose a higher risk because they are available in multiple code repositories and could have been pushed into development code without modification.”To block such attacks, Microsoft recommends developers securely generate machine keys, not use default keys or keys found online, encrypt machineKey and connectionStrings elements to block access to plaintext secrets, upgrade apps to use ASP.NET 4.8 to enable Antimalware Scan Interface (AMSI) capabilities, and harden Windows Servers by using attack surface reduction rules such as Block Webshell creation for Servers.Microsoft also shared detailed steps for removing or replacing ASP.NET keys in the web.config configuration file using either PowerShell or the IIS manager console and removed key samples from its public documentation to further discourage this insecure practice.”If successful exploitation of publicly disclosed keys has occurred, rotating machine keys will not sufficiently address possible backdoors or persistence methods established by a threat actor or other post-exploitation activity, and additional investigation may be warranted,” Redmond warned.”In particular, web-facing servers should be fully investigated and strongly considered for re-formatting and re-installation in an offline medium in cases where publicly disclosed keys have been identified, as these servers are most at risk of possible exploitation.”Crypto-stealing apps found in Apple App Store for the first timeNew Aquabotv3 botnet malware targets Mitel command injection flawHacker infects 18,000 “script kiddies” with fake malware builderHundreds of fake Reddit sites push Lumma Stealer malwareTelegram captcha tricks you into running malicious PowerShell scriptsNot a member yet? Register NowCritical RCE bug in Microsoft Outlook now exploited in attacksCISA orders agencies to patch Linux kernel bug exploited in attacksCritical Cisco ISE bug can let attackers run commands as rootPassword health-check overdue? Audit your Active Directory for freeRequest your complimentary data risk assessment for AWSRDP Security Simplified – No VPN, No Firewall Exposure. Get a free TruGrid business trial.Get the GOAT Guide to learn how to start validating, start defending, and start winning.Protecting Against Malicious Browser Extensions: The Complete GuideTerms of Use – Privacy Policy – Ethics Statement – Affiliate DisclosureCopyright @ 2003 – 2025 Bleeping Computer® LLC – All Rights ReservedNot a member yet? Register NowRead our posting guidelinese to learn what content is prohibited.
