Microsoft is warning of an insecure observe whereby software program builders are incorporating publicly disclosed ASP.NET machine keys from publicly accessible sources, thereby placing their functions in attackers’ pathway.
The tech big’s menace intelligence staff stated it noticed restricted exercise in December 2024 that concerned an unknown menace actor utilizing a publicly out there, static ASP.NET machine key to inject malicious code and ship the Godzilla post-exploitation framework.
It additionally famous that it has recognized over 3,000 publicly disclosed keys that might be used for a lot of these assaults, which it is calling ViewState code injection assaults.
“Whereas many beforehand recognized ViewState code injection assaults used compromised or stolen keys which can be typically bought on darkish net boards, these publicly disclosed keys might pose a better threat as a result of they’re out there in a number of code repositories and will have been pushed into growth code with out modification,” Microsoft stated.
ViewState is a technique used within the ASP.NET framework to protect web page and management values between postbacks. This could additionally embrace software knowledge that’s particular to a web page.
“By default, view state knowledge is saved within the web page in a hidden discipline and is encoded utilizing base64 encoding,” Microsoft notes in its documentation. “As well as, a hash of the view state knowledge is created from the information through the use of a machine authentication code (MAC) key. The hash worth is added to the encoded view state knowledge and the ensuing string is saved within the web page.”
In utilizing a hash worth, the concept is to make sure that the view state knowledge has not been corrupted or tampered with by malicious actors. That stated, if these keys are stolen or made accessible to unauthorized third-parties, it opens the door to a state of affairs the place the menace actor can leverage the keys to ship a malicious ViewState request and execute arbitrary code.
“When the request is processed by ASP.NET Runtime on the focused server, the ViewState is decrypted and validated efficiently as a result of the correct keys are used,” Redmond famous. “The malicious code is then loaded into the employee course of reminiscence and executed, offering the menace actor distant code execution capabilities on the goal IIS net server.”
Microsoft has supplied a listing of hash values for the publicly disclosed machine keys, urging prospects to examine them in opposition to the machine keys used of their environments. It has additionally warned that within the occasion of a profitable exploitation of publicly disclosed keys, merely rotating the keys won’t be adequate because the menace actors could have already established persistence on the host.
To mitigate the danger posed by such assaults, it is suggested to not copy keys from publicly out there sources and to frequently rotate keys. As an additional step to discourage menace actors, Microsoft stated it eliminated key artifacts from “restricted situations” the place they had been included in its documentation.
The event comes as cloud safety firm Aqua revealed particulars of an OPA Gatekeeper bypass that might be exploited to conduct unauthorized actions in Kubernetes environments, together with deploying unauthorized container pictures.
“Within the k8sallowedrepos coverage, a safety threat arises from how the Rego logic is written within the ConstraintTemplate file,” researchers Yakir Kadkoda and Assaf Morag stated in an evaluation shared with The Hacker Information.
“This threat is additional amplified when customers outline values within the Constraint YAML file that don’t align with how the Rego logic processes them. This mismatch may end up in coverage bypasses, making the restrictions ineffective.”