Learn extra at:
Microsoft Risk Intelligence in December noticed a “menace actor” utilizing a publicly out there ASP.NET machine key to inject malicious code and fetch the Godzilla post-exploitation framework, a “backdoor” internet shell utilized by intruders to execute instructions and manipulate information. The corporate then recognized greater than 3,000 publicly disclosed ASP.NET machine keys—i.e., keys that have been disclosed in code documentation and repositories—that might be utilized in a majority of these assaults, known as ViewState code injection assaults.
In response, Microsoft Risk Intelligence is warning organizations to not copy keys from publicly out there sources and urging them to repeatedly rotate keys. In a February 6 bulletin, Microsoft Risk Intelligence stated that in investigating and defending towards this exercise, it has noticed an insecure observe whereby builders used publicly disclosed ASP.NET machine keys from code documentation, repositories, and different public sources that have been then utilized by menace actors to carry out malicious actions heading in the right direction servers. Whereas many beforehand identified ViewState code injection assaults used compromised or stolen keys that have been bought on darkish internet boards, these publicly disclosed keys may pose a better danger as a result of they’re out there in a number of code repositories and will have been pushed into growth code with out modification, Microsoft stated. The restricted malicious exercise Microsoft noticed in December included using one publicly disclosed key to inject malicious code. Microsoft Risk Intelligence continues to watch the extra use of this assault method, Microsoft stated.
ViewState is the tactic by which ASP.NET internet kinds protect web page and management between postbacks, Microsoft Risk Intelligence stated. Information for ViewState is saved in a hidden area on the web page and is encoded. To guard ViewState towards tampering and disclosure, the ASP.NET web page framework makes use of machine keys. “If these keys are stolen or made accessible to menace actors, these menace actors can craft a malicious ViewState using the stolen keys and ship it to the web site through a POST request,” Microsoft Risk Intelligence stated within the bulletin. “When the request is processed by ASP.NET Runtime on the focused server, the ViewState is decrypted and validated efficiently as a result of the correct keys are used. The malicious code is then loaded into the employee course of reminiscence and executed, offering the menace actor distant code execution capabilities on the goal IIS internet server.”
