Microsoft Warns Developers Against Using Publicly Disclosed ASP.NET Machine Keys

Website developers are unknowingly exposing their companies to cyber threats by embedding publicly available ASP.NET machine keys from documentation and code repositories into their applications, Microsoft has cautioned.

The tech giant issued a security alert after detecting threat actors in December leveraging a known static ASP.NET machine key to deploy the Godzilla post-exploitation framework, a tool notorious for infiltrating corporate environments.

The attack exploits ViewState, which stores a webpage’s state from its last server processing. If hackers obtain an ASP.NET machine key, they can manipulate ViewState to inject malicious code, sending a crafted payload via a POST request to the target website. Once processed by ASP.NET Runtime, the injected code is executed within the server’s worker process memory, granting attackers remote code execution capabilities.

Microsoft has identified at least 3,000 publicly exposed keys, significantly lowering the barrier for cybercriminals. Unlike previous ViewState attacks that relied on stolen or dark web-traded keys, these readily accessible keys could have unknowingly been incorporated into development projects.

To mitigate the risk, Microsoft advises organizations to avoid copying keys from public sources and implement regular key rotation to enhance security.