Full Report
Microsoft Threat Intelligence identified a threat actor exploiting publicly disclosed ASP.NET machine keys to perform ViewState code injection attacks. This technique enables attackers to inject malicious code into web applications, leading to remote code execution on IIS serv...
Analysis Summary
# Incident Report: ASP.NET ViewState Code Injection via Public Machine Keys
## Executive Summary
A threat actor exploited publicly disclosed ASP.NET machine keys (ValidationKey and DecryptionKey) to conduct ViewState code injection attacks against IIS servers. This resulted in Remote Code Execution (RCE) and the deployment of the Godzilla post-exploitation framework. The initial compromise began in December 2024.
## Incident Details
- Discovery Date: February 12, 2025 (Based on public reporting date, actual internal discovery date unknown)
- Incident Date: Commenced December 2024
- Affected Organization: Not explicitly disclosed (Targeted various organizations utilizing vulnerable IIS/ASP.NET configuration)
- Sector: Unspecified (Focus on web applications)
- Geography: Unspecified
## Timeline of Events
### Initial Access
- Date/Time: December 2024 (Start of observed activity)
- Vector: Malicious ViewState Code Injection
- Details: Attacker obtained a publicly available ASP.NET machine key (ValidationKey/DecryptionKey) from online repositories. This key was used to craft a malicious ViewState payload sent via POST requests to target IIS web applications.
### Lateral Movement
- Details: Once RCE was achieved, the attacker deployed the Godzilla post-exploitation framework, which facilitates subsequent command execution and shellcode injection, leading to broader control.
### Data Exfiltration/Impact
- Details: The primary impact was allowing the deployment of the Godzilla framework, enabling the attacker to run arbitrary commands and potentially leading to data exfiltration (details on specific exfiltrated data were not provided in the context).
### Detection & Response
- Date/Time: Detection confirmed prior to February 12, 2025.
- Details: Identified by Microsoft Threat Intelligence based on observed activity utilizing this specific technique. Specific organizational response actions are not detailed, but the publication of the finding suggests awareness dissemination.
## Attack Methodology
- Initial Access: Exploitation of insecure ASP.NET configuration using publicly disclosed machine keys to achieve ViewState Code Injection leading to RCE.
- Persistence: Deployment of the Godzilla post-exploitation framework to maintain access and execute further actions.
- Privilege Escalation: Not explicitly detailed, but RCE grants high privilege on the affected web application process.
- Defense Evasion: Utilizing seemingly legitimate framework functionality (ViewState processing) with malicious data.
- Credential Access: Not explicitly detailed.
- Discovery: Not explicitly detailed, but post-exploitation tools (Godzilla) inherently involve discovery capabilities.
- Lateral Movement: Achieved via command execution capabilities provided by the loaded Godzilla framework.
- Collection: Not explicitly detailed.
- Exfiltration: Not explicitly detailed.
- Impact: Remote Code Execution (RCE) on IIS servers.
## Impact Assessment
- Financial: Unknown.
- Data Breach: Potential for unauthorized access and exfiltration of data accessible by the compromised IIS application.
- Operational: Disruption of web application availability and integrity due to RCE.
- Reputational: Potential damage due to successful exploitation based on easily accessible information (public machine keys).
## Indicators of Compromise
- File Indicators: `assembly.dll` (SHA-256: `19d87910d1a7ad9632161fd9dd6a54c8a059a64fc5f5a41cf5055cd37ec0499d`)
- Behavioral Indicators: POST requests containing crafted, signed/encrypted ViewState payloads targeting ASP.NET applications.
- Tools: Godzilla post-exploitation framework.
## Response Actions
*Note: Response actions listed are inferred based on standard procedures for RCE disclosures, as article details are limited.*
- Containment: Identifying and isolating affected IIS servers; temporarily disabling public-facing services if necessary.
- Eradication: Revoking/rotating all active ASP.NET machine keys (ValidationKey and DecryptionKey) organization-wide.
- Recovery: Restoring systems from clean backups, patching applications, and ensuring all running processes are verified clean of Godzilla remnants.
## Lessons Learned
- Relying on default or publicly exposed configuration secrets, even those intended for internal application security (like ASP.NET Machine Keys), creates a significant RCE vulnerability if compromised.
- The attack demonstrates modern RCE payloads (like Godzilla) are being deployed via seemingly benign application mechanisms (ViewState processing).
## Recommendations
- **Immediate Rotation:** Immediately audit and aggressively rotate all ASP.NET ValidationKey and DecryptionKey values across the entire organization.
- **Configuration Hardening:** Implement automated scans to check for hardcoded or publicly accessible secrets within application deployments.
- **Input Validation:** Enhance monitoring for unusual content or execution within application state mechanisms like ViewState, even when signed.
- **Monitoring:** Increase detection capabilities for post-exploitation frameworks like Godzilla attempting command and control or shellcode injection on web servers.