Microsoft has identified over 3,000 publicly accessible ASP.NET machine keys that attackers are actively using to inject malicious code into IIS web servers. The discovery highlights a growing security concern: developers have been unknowingly exposing sensitive machine keys in public repositories, documentation, and misconfigured applications—potentially allowing bad actors to execute arbitrary code remotely.
The attack method involves exploiting ViewState, a feature in ASP.NET that stores encrypted page data. By obtaining a valid machine key, cybercriminals can create malicious ViewState payloads that IIS servers decrypt and execute, effectively bypassing authentication.
One of the most concerning cases, observed in December 2024, involved an attacker using a leaked machine key to inject a ViewState payload and deploy the Godzilla web shell. This tool grants persistent access to compromised servers, enabling attackers to execute commands and evade detection.
The discovery adds to growing concerns about the rise of attacks that exploit publicly available information. Microsoft’s Digital Defense Report 2024 revealed that AI-driven cyberattacks have already surpassed 600 million incidents per day, with attackers automating reconnaissance to exploit leaked credentials and misconfigurations.
How Exposed Machine Keys Are Allowing Remote Code Execution
ASP.NET uses machine keys—ValidationKey and DecryptionKey—to secure ViewState, preventing tampering. If these keys are exposed, attackers can create malicious payloads that appear legitimate, tricking IIS servers into executing them.
The attack works as follows: cybercriminals search for publicly available machine keys in repositories, documentation, or leaked configurations.
Once a key is found, they generate a malicious ViewState payload and send it as an HTTP request to the target server. Since the server recognizes the key as legitimate, it processes the payload and runs the attacker’s code—allowing full system access without authentication.
According to Microsoft’s security advisory, this issue highlights a serious security oversight: many organizations are unknowingly running configurations that attackers can exploit with minimal effort.
December 2024 Attack: Hackers Use Public Key to Deploy Godzilla
Microsoft’s security researchers investigated a real-world attack in December 2024, where a threat actor leveraged a publicly available machine key to inject malicious ViewState code. The target was an IIS server running ASP.NET, which decrypted the payload and unknowingly executed it.
As a result, the attacker deployed the Godzilla web shell to maintain unauthorized access. Unlike traditional malware, which often leaves behind executable files, Godzilla operates entirely in memory, making it much harder for antivirus tools to detect.
Microsoft confirmed that this method could be replicated on other IIS servers with improperly secured configurations.
The attack underscores a growing cybersecurity risk: attackers are no longer just exploiting software vulnerabilities—they are increasingly targeting misconfigurations and exposed credentials to gain access to critical systems.
Microsoft’s Security Recommendations for ASP.NET Users
To mitigate the risk of ViewState injection attacks, Microsoft recommends several security measures:
Developers should ensure that ASP.NET machine keys are unique and securely generated, rather than copied from external sources. Organizations should also regularly rotate their machine keys to prevent long-term exposure.
Another critical step is encrypting the `web.config` file, which stores machine keys. Microsoft also advises upgrading to ASP.NET 4.8, which integrates the Antimalware Scan Interface (AMSI), helping IIS servers detect and block malicious ViewState payloads.
Additionally, attack surface reduction (ASR) rules should be enforced to prevent web shell execution. Microsoft has also removed example machine keys from its own documentation to discourage developers from using insecure default settings.
More information on Microsoft’s findings and mitigation strategies can be found in their official security advisory.
