Microsoft Warns of ViewState Code Injection Attacks Using Publicly Available ASP.NET Machine Keys

Microsoft is sounding the alarm on a growing security threat targeting web servers. Attackers are leveraging publicly available ASP.NET machine keys to launch ViewState code injection attacks, allowing them to remotely execute malicious payloads on IIS servers. The discovery, made by Microsoft Threat Intelligence experts, raises concerns about the widespread exposure of sensitive keys in online repositories.

Attackers Exploit Publicly Available Machine Keys

Security researchers at Microsoft have uncovered a critical flaw in how some developers handle ASP.NET validation and decryption keys. These keys are meant to secure ViewState data—used in ASP.NET Web Forms to manage state information and preserve pages—but when sourced from public documentation and repositories, they become a significant security risk.

Hackers are exploiting these publicly available keys to craft malicious ViewState data, attaching a valid message authentication code (MAC) that tricks the targeted ASP.NET runtime into executing their injected code. This technique allows attackers to gain remote code execution (RCE) capabilities on IIS servers, potentially deploying additional malware or creating backdoors for persistent access.

One alarming case in December 2024 involved an attacker delivering the Godzilla post-exploitation framework using a known machine key. Godzilla is a powerful tool designed for executing commands and injecting shellcode, which could be devastating for affected web servers.

Microsoft Identifies Over 3,000 Exposed Machine Keys

Microsoft’s analysis revealed that more than 3,000 ASP.NET machine keys are publicly accessible, posing a serious threat to web applications.

• Unlike previous attacks that relied on stolen or compromised keys traded on dark web forums, these keys are freely available in public repositories.
• Many developers unknowingly integrate these keys into their software without modification, inadvertently leaving their applications vulnerable.
• Web servers using these exposed keys could be susceptible to silent exploitation, making it difficult for organizations to detect unauthorized access.

Given the ease with which attackers can obtain and weaponize these keys, Microsoft warns that the risk of widespread attacks is significantly higher than before.

How Developers Can Protect Their Web Servers

To mitigate these attacks, Microsoft urges developers to adopt better security practices and implement stronger protections:

• Secure Key Generation: Always generate unique machine keys instead of using default or publicly available keys.
• Encrypt Sensitive Configuration Files: Protect the machineKey and connectionStrings sections in the web.config file to prevent plaintext exposure.
• Upgrade to ASP.NET 4.8: This version includes Antimalware Scan Interface (AMSI) capabilities, helping detect and block malicious ViewState manipulations.
• Harden Windows Servers: Use attack surface reduction (ASR) rules, such as blocking web shell creation, to limit potential exploitation paths.

Microsoft also removed machine key samples from its public documentation to prevent developers from mistakenly using insecure keys.

Reinstallation May Be Necessary for Compromised Servers

For organizations that suspect their web servers have been compromised through these exposed keys, Microsoft advises taking immediate action. Simply rotating the affected machine keys may not be enough if attackers have already established persistence.

• Investigate web-facing servers: A full security audit is necessary to check for any backdoors or unauthorized modifications.
• Consider reinstallation: In cases of confirmed exploitation, Microsoft strongly recommends reformatting and reinstalling the affected servers in an offline environment to fully eliminate any malicious presence.

Since publicly disclosed keys are being actively exploited, companies must act fast to secure their infrastructure. Attackers are continuously scanning for vulnerable web servers, and any delay in addressing this issue could result in severe security breaches.