.webp)
Microsoft has issued a critical warning about a widespread security risk where software developers are embedding publicly disclosed ASP.NET machine keys from open-source repositories. This insecure practice exposes web applications to potential code injection attacks, allowing cybercriminals to exploit vulnerable systems.
3,000 Publicly Disclosed ASP.NET Machine Keys Identified
The Microsoft Threat Intelligence team reported detecting limited cyber activity in December 2024, involving an unidentified threat actor leveraging a publicly available ASP.NET machine key to inject malicious code. The attacker used this exploit to deploy the Godzilla post-exploitation framework, a sophisticated tool often utilized for maintaining unauthorized access.
Further investigation revealed over 3,000 publicly disclosed ASP.NET machine keys that could facilitate similar ViewState code injection attacks. Unlike traditional ViewState exploits that rely on stolen or compromised keys—often traded in dark web forums—these keys are freely available across multiple public code repositories. This significantly increases the risk, as developers may unknowingly integrate them into their projects without modification.
How ViewState Code Injection Works
ViewState is an essential ASP.NET feature that maintains page and control values across postbacks. It stores data in a hidden field on the page, encoded using Base64, and secures it with a Machine Authentication Code (MAC) key to ensure integrity.
"By default, view state data is stored in the page in a hidden field and encoded using Base64 encoding. Additionally, a hash of the view state data is created using a machine authentication code (MAC) key to prevent tampering," Microsoft explains in its official documentation.
If a threat actor gains access to these machine keys, they can craft malicious ViewState requests. When an IIS server processes such a request, ASP.NET Runtime decrypts and validates the ViewState using the compromised keys. This allows the attacker to inject and execute arbitrary code, leading to remote code execution (RCE) on the targeted IIS web server.
Microsoft's Recommendations and Mitigation Strategies
To protect against ViewState injection attacks, Microsoft strongly advises:
✅ Avoid using machine keys from public repositories – Always generate unique and secure machine keys.
✅ Regularly rotate machine keys – However, simply rotating keys may not be enough if an attacker has already gained persistence.
✅ Verify machine keys – Microsoft has released a list of hash values for the compromised machine keys, urging developers to check their environments for potential exposure.
✅ Monitor for unusual activity – Proactively track server logs for unauthorized ViewState requests or anomalous IIS process behavior.
Additionally, Microsoft has removed key artifacts from limited instances where they were mistakenly included in its official documentation, further emphasizing the need for responsible key management.
Emerging Cloud Security Threat: Kubernetes OPA Gatekeeper Bypass
Alongside these revelations, cloud security firm Aqua Security disclosed a major security flaw affecting Kubernetes environments. Researchers Yakir Kadkoda and Assaf Morag found a vulnerability in the OPA Gatekeeper that allows attackers to bypass security policies and deploy unauthorized container images.
"A security risk arises from how the Rego logic is written in the ConstraintTemplate file. This mismatch can result in policy bypasses, making the restrictions ineffective," Aqua Security stated in an analysis shared with The easy4hub News.
Final Thoughts
The discovery of 3,000 leaked ASP.NET machine keys highlights the growing threat of insecure software development practices. Organizations using ASP.NET must take immediate action to secure their applications against ViewState code injection attacks. Likewise, Kubernetes administrators should assess their configurations to prevent OPA Gatekeeper bypasses.
Stay vigilant and adopt proactive security measures to safeguard your cloud and web applications.