Microsoft warns hackers have a new and devious way of distributing malware

News
By
published

Are you using publicly available keys for ViewState?

A person using a laptop on a table.
(Image credit: Shutterstock/SFIO CRACHO)
  • ViewState code injection attacks can lead to remote code execution, Microsoft warned
  • Many devs are not generating their own machine keys for ViewState
  • There are thousands of publicly available keys cybercriminals can use

Cybercriminals are abusing a weakness in ASP.NET websites to remotely execute malicious code, according to Microsoft’s Threat Intelligence team, which has published an in-depth analysis on the new method.

In the article, Microsoft explained threat actors were injecting malicious code through a method called ViewState code injection attacks.

ViewState is a feature in ASP.NET websites that helps remember user input and page settings when the page is refreshed. It stores this information in a hidden part of the webpage so that when the user interacts with the page again, it can reload the saved data without losing anything.

Accepting malicious code

As it turns out, many developers are using machine keys (security codes designed to protect the website’s ViewState data) that they find online, rather than generating their own. These machine keys are intended to prevent tampering with ViewState, which tracks data on web pages as users interact with them.

However, if developers can find these keys, so can criminals. When they do, they can use them to inject harmful content into a website’s ViewState. Because the machine key is the same as the one the website expects, the server decrypts and processes the malicious code, allowing attackers to run their own commands on the server. This can lead to remote code execution, Microsoft warned.

The researchers found more than 3,000 publicly disclosed keys that can be used in these attacks. In some cases, the researchers added, developers might unknowingly push these public keys into their code, as well.

To prevent these attacks, Microsoft advises developers to generate their own machine keys, avoid using default or publicly available ones, and secure sensitive data by encrypting parts of their configuration files.

Upgrading to a newer version of ASP.NET is also recommended, as is using security features such as the Antimalware Scan Interface (AMSI).

Microsoft also provided instructions on how to remove or replace the insecure machine keys from the server's configuration files and removed examples of these keys from its public documentation to discourage the insecure practice.

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

More about security
Ransomware

8base ransomware site taken down in global police operation
A person holding a credit card in one hand while typing on a laptop keyboard with the other.

Google system abused by hackers to hijack ecommerce stores
How to change your PSN name

Supermarket Simulator Pro is no more as a number of 'spam' games are removed from the PS Store
See more latest