Microsoft has identified more than 3,000 publicly exposed ASP.NET machine keys that could be used by threat actors in code injection attacks against enterprise servers.
In a blog post Thursday, Microsoft Threat Intelligence said it observed "limited activity" in December, in which a threat actor used a publicly available ASP.NET machine key to inject malicious code and deploy the Godzilla post-exploitation framework. While Microsoft said the threat actor is "unattributed," the U.S. government previously has tied the Godzilla framework, which creates malicious web shells that can be used as backdoors, to Chinese state-sponsored threat actors.
"In the course of investigating, remediating, and building protections against this activity, we observed an insecure practice whereby developers have incorporated various publicly disclosed ASP.NET machine keys from publicly accessible resources, such as code documentation and repositories, which threat actors have used to perform malicious actions on target servers," Microsoft said in the blog post.
The insecure practice led to the exposure of more than 3,000 ASP.NET machine keys on the internet, Microsoft said. The keys can be abused by threat actors for what is called ViewState code-injection attacks. ViewState, Microsoft explained, is a method used by ASP.NET page frameworks to preserve page and control values between round trips. ASP.NET machine keys are used to protect ViewState from tampering and data disclosure.
However, if such keys fall into the wrong hands, they can be used to create a malicious ViewState that can be delivered to the website and gain remote code execution on an enterprise IIS (Internet Information Services) server. In other words, organizations with exposed ASP.NET machine keys could inadvertently supply threat actors with a powerful hacking tool to remotely compromise the organization’s own servers.
"Whereas many previously known ViewState code injection attacks used compromised or stolen keys that are often sold on dark web forums, these publicly disclosed keys could pose a higher risk because they are available in multiple code repositories and could have been pushed into development code without modification," the company warned.
Jeremy Dallman, senior director of security research at Microsoft Threat Intelligence, issued a call to action in a LinkedIn post. "Poor hygiene practices by owners of static ASP.NET machine keys has resulted in these getting disclosed inadvertently around the internet in code samples and documentation," he wrote. "The community needs to step up and clean house to eradicate this technique."
It's unclear if any of the 3,000 exposed keys have been rotated and secured by their respective owners. Microsoft declined to comment.
In the blog post, Microsoft advised owners of ASP.NET machine keys to regularly rotate them and not expose them in publicly available resources like code documentation and repositories. The company also urged developers to not use such exposed keys in their environments.
Microsoft also published hash values for the publicly disclosed machine keys in a GitHub repository and advised customers to check their networks with a provided script. Microsoft Defender for Endpoint can detect at-risk keys in a network via the alert “Publicly disclosed ASP.NET machine key,” according to the vendor.
