The Microsoft Threat Intelligence team has issued a warning about observed code injection attacks leveraging publicly available ASP.NET machine keys. These actions have been carried out by an unknown threat actor and are used to deliver malware.

Through investigation, the research team discovered an insecure developer practice, in which a variety of public ASP.NET machine keys from publicly accessible resources (like code repositories and documentation) were incorporated. This could allow a threat actor to deploy malicious acts on target servers.

Currently, research has identified more than 3,000 exposed keys that could be used for such attacks. These are referred to as ViewState code injection attacks

Security leaders weigh in 

Tim Mackey, Head of Software Supply Chain Risk Strategy at Black Duck:

At its core, this is a misconfiguration of a system where that misconfiguration enables malicious activity. For this scenario, the ViewState would contain the malicious payload which was encrypted using a key published on the internet. Such a key might’ve originated from sample code or from demo code provided to a developer attempting to learn a new API or coding topic. That key was provided as an example by the original author with an expectation that someone using the sample code would replace the demo key with one that’s unique to their environment. The problem is that someone using sample code might not understand all the rules resulting in the sample code being copied directly into the application. 

For a developer who is simply learning a new API this isn’t the end of the world because a production system shouldn’t be using any hardcoded configuration. In the case of this report, the attack vector requires hardcoded keys, which then implies the application in question either isn’t fully configurable or that the configuration itself contains hardcoded elements. While reviewing the contents of the applications’ configuration file against Microsoft’s list of public keys is a good idea, DevOps teams should use tooling that detects hard coded secrets to ensure that any hardcoded items present in their application are properly addressed.  

Eric Schwake, Director of Cybersecurity Strategy at Salt Security:

Microsoft's alert regarding the use of publicly available ASP.NET machine keys brings attention to a significant security risk linked to poor coding practices in application and API development. Developers frequently turn to public resources and code snippets for ease, but this approach can unintentionally create vulnerabilities, particularly when developing applications or APIs that manage sensitive data and integrate critical systems. In this scenario, the use of publicly disclosed machine keys puts applications and their associated APIs at risk of attacks, as malicious individuals can easily access these keys. 

To mitigate such risks, developers must prioritize secure coding practices by refraining from utilizing publicly disclosed secrets and ensuring that all third-party libraries and components are up-to-date and free from known vulnerabilities. This precaution is especially vital for APIs, which are frequently exposed online and can be easily targeted by attackers. Furthermore, extensive security training is essential to inform developers about secure coding practices, particularly in relation to API development and the dangers of using publicly accessible resources. This situation emphasizes the necessity of adopting a security-first ethos in software development, especially when creating and deploying APIs. By committing to secure coding practices and maintaining awareness of potential vulnerabilities, organizations can greatly lower their risk of breaches.