icon

Digital safety starts here for both commercial and personal Use...

Defend Your Business Against the Latest WNY Cyber Threats We offer Safe, Secure and Affordable Solutions for your Business and Personal Networks and Devices.



WNYCyber is there to help you to choose the best service providers in Western New York... We DO NOT provide the services ourselves, as we are Internet Programmers who have to deak daily with Cyber Threats... (Ugghhh)... So we know what it's like and what it takes to protect OUR and OUR CUSTOMERS DATA... We built this Website to help steer you to those that can give you the best service at realistic and non-inflated prices. We do charge or collect any fees.

Buffalo, New York
United States

Current Threat Data

Microsoft Identifies 3,000 Leaked ASP.NET Keys Enabling Code Injection Attacks

Summary:
Microsoft has issued a critical warning about a growing security risk in which developers are unknowingly incorporating publicly disclosed ASP.NET machine keys from online sources, making their applications vulnerable to cyberattacks. The company’s threat intelligence team observed a limited but concerning attack in December 2024, where an unidentified threat actor exploited a publicly available, static ASP.NET machine key to inject malicious code and deploy the Godzilla post-exploitation framework. Microsoft further revealed that over 3,000 publicly disclosed machine keys are available online, putting thousands of applications at risk through what it has termed ViewState code injection attacks.


Traditionally, ViewState attacks have involved stolen or compromised keys, often traded on dark web forums, but these newly disclosed keys pose an even greater risk due to their widespread availability in open-source code repositories. Many of these keys may have been unintentionally pushed into production environments by developers without realizing the security implications. ViewState, a mechanism in ASP.NET that maintains page and control values across postbacks, relies on a machine authentication code key to hash and validate the data. If an attacker gains access to these keys, they can create malicious ViewState requests, allowing them to execute arbitrary code remotely on the targeted IIS web server.

Security Officer Comments:
The attack works by tricking the ASP.NET runtime into decrypting and validating a malicious ViewState request using a legitimate but publicly available machine key. Once processed, the malicious code is loaded into the worker process memory, granting the attacker remote code execution capabilities. Microsoft has warned that simply rotating compromised keys may not be sufficient, as threat actors could have already established persistence on affected systems. To help organizations identify exposure, Microsoft has provided hash values for known disclosed machine keys, urging security teams to compare them against their own environments.


Suggested Corrections:
Microsoft has provided a list of hash values for the publicly disclosed machine keys, urging customers to check them against the machine keys used in their environments. It has also warned that in the event of a successful exploitation of publicly disclosed keys, merely rotating the keys will not be sufficient as the threat actors may have already established persistence on the host. To mitigate the risk posed by such attacks, it's advised to not copy keys from publicly available sources and to regularly rotate keys. As a further step to deter threat actors, Microsoft said it removed key artifacts from "limited instances" where they were included in its documentation.


Link(s):
https://thehackernews.com/2025/02/microsoft-identifies-3000-publicly.html

Contact Us for Threat Assistance
Back to Current Threats