Microsoft Threat Intelligence has sounded the alarm over a critical security vulnerability, identifying over 3,000 publicly disclosed ASP.NET machine keys that could be exploited by threat actors to inject malicious code into web servers. The exposed keys, found in code documentation and repositories, pose a significant risk to organizations, allowing attackers to execute commands and manipulate files remotely.

The warning comes after Microsoft observed a threat actor using a publicly available ASP.NET machine key to inject malicious code and fetch the Godzilla post-exploitation framework, a "backdoor" web shell used by intruders to execute commands and manipulate files. This incident highlights the dangers of using publicly disclosed keys, which can be easily accessed by threat actors to perform malicious actions on target servers.

The ViewState code injection attack technique, which leverages these exposed keys, is particularly concerning. ViewState is a method used by ASP.NET web forms to preserve page and control state between postbacks. To protect ViewState against tampering and disclosure, the ASP.NET page framework uses machine keys. However, if these keys are stolen or made accessible to threat actors, they can craft a malicious ViewState using the stolen keys and send it to the website via a POST request. When the request is processed by ASP.NET Runtime on the targeted server, the ViewState is decrypted and validated successfully, allowing the malicious code to be loaded into the worker process memory and executed, providing the threat actor remote code execution capabilities on the target IIS web server.

Microsoft Threat Intelligence is urging organizations to take immediate action to prevent these types of attacks. The company advises against copying keys from publicly available sources and recommends regularly rotating keys to minimize the risk of exposure. This proactive approach is crucial, as the publicly disclosed keys could have been pushed into development code without modification, making it easier for threat actors to exploit them.

The discovery of these exposed keys highlights a common insecure practice among developers, who often use publicly disclosed ASP.NET machine keys from code documentation, repositories, and other public sources. This practice can have devastating consequences, as it allows threat actors to perform malicious actions on target servers. Microsoft's warning serves as a reminder to developers and organizations to prioritize security and adopt best practices to protect against ViewState code injection attacks.

As Microsoft continues to monitor the situation, it's essential for organizations to take heed of this warning and implement robust security measures to prevent these types of attacks. The rotation of keys and the use of secure practices can significantly reduce the risk of exposure, protecting sensitive data and preventing remote code execution attacks.

In the broader context, this incident underscores the importance of security in the development process. As the threat landscape continues to evolve, it's crucial for developers and organizations to prioritize security and adopt proactive measures to prevent attacks. By doing so, they can protect their systems, data, and customers from the ever-growing threat of cyber attacks.