Microsoft is warning of an insecure observe whereby software program builders are incorporating publicly disclosed ASP.NET machine keys from publicly accessible sources, thereby placing their functions in attackers’ pathway.
The tech big’s menace intelligence crew mentioned it noticed restricted exercise in December 2024 that concerned an unknown menace actor utilizing a publicly obtainable, static ASP.NET machine key to inject malicious code and ship the Godzilla post-exploitation framework.
It additionally famous that it has recognized over 3,000 publicly disclosed keys that may very well be used for these kind of assaults, which it is calling ViewState code injection assaults.
“Whereas many beforehand identified ViewState code injection assaults used compromised or stolen keys which might be usually bought on darkish internet boards, these publicly disclosed keys might pose the next threat as a result of they’re obtainable in a number of code repositories and will have been pushed into improvement code with out modification,” Microsoft mentioned.
ViewState is a technique used within the ASP.NET framework to protect web page and management values between postbacks. This may additionally embrace utility information that’s particular to a web page.
“By default, view state information is saved within the web page in a hidden subject and is encoded utilizing base64 encoding,” Microsoft notes in its documentation. “As well as, a hash of the view state information is created from the info by utilizing a machine authentication code (MAC) key. The hash worth is added to the encoded view state information and the ensuing string is saved within the web page.”
In utilizing a hash worth, the thought is to make sure that the view state information has not been corrupted or tampered with by malicious actors. That mentioned, if these keys are stolen or made accessible to unauthorized third-parties, it opens the door to a situation the place the menace actor can leverage the keys to ship a malicious ViewState request and execute arbitrary code.
“When the request is processed by ASP.NET Runtime on the focused server, the ViewState is decrypted and validated efficiently as a result of the proper keys are used,” Redmond famous. “The malicious code is then loaded into the employee course of reminiscence and executed, offering the menace actor distant code execution capabilities on the goal IIS internet server.”
Microsoft has offered a listing of hash values for the publicly disclosed machine keys, urging prospects to examine them in opposition to the machine keys used of their environments. It has additionally warned that within the occasion of a profitable exploitation of publicly disclosed keys, merely rotating the keys is not going to be ample because the menace actors could have already established persistence on the host.
To mitigate the chance posed by such assaults, it is suggested to not copy keys from publicly obtainable sources and to often rotate keys. As an extra step to discourage menace actors, Microsoft mentioned it eliminated key artifacts from “restricted situations” the place they had been included in its documentation.
The event comes as cloud safety firm Aqua revealed particulars of an OPA Gatekeeper bypass that may very well be exploited to conduct unauthorized actions in Kubernetes environments, together with deploying unauthorized container pictures.
“Within the k8sallowedrepos coverage, a safety threat arises from how the Rego logic is written within the ConstraintTemplate file,” researchers Yakir Kadkoda and Assaf Morag mentioned in an evaluation shared with The Hacker Information.
“This threat is additional amplified when customers outline values within the Constraint YAML file that don’t align with how the Rego logic processes them. This mismatch can lead to coverage bypasses, making the restrictions ineffective.”
