Cybercriminals are exploiting leaked cryptographic keys to manipulate authentication systems, decode protected data, and install harmful software on vulnerable web servers. These attacks can give hackers unauthorized control over websites and would allow them to maintain access for long periods.
How Hackers Use Publicly Available Keys
Microsoft's cybersecurity experts have recently detected a new wave of Internet threats in which attacking groups use exposed ASP.NET machine keys to break into web applications. These keys are sometimes kept private, but they were nonetheless discovered in public code repositories so that hackers could easily gain access to and misuse them.
Once the criminal possess this key, he would be able to manipulate ViewState, a methodology in ASP.NET Web Forms considered to store and manipulate user data between page interactions. If ViewState data with malicious content is injected by the attacker, the web server would then validate it and process it, allowing the hacker to execute harmful commands on that system.
Microsoft, on its part, is tracking that more than 3,000 machine keys have been publicly leaked, putting numerous web applications at risk of code injection attacks.
The Godzilla Malware Threat
In December 2024, evidence was found that an unidentified hacker group installed the military-grade malware Godzilla in a compromised machine with long-term access and control through an exposed ASP.NET machine key:
Once this malware makes its way into the compromised system, the hackers can:
- Run unauthorized commands on the web server.
- Install additional malware to expand their control.
- Maintain access even if initial security gaps are patched.
Microsoft states these attacks are particularly concerning since leaked keys are available to the public, thus allowing many attackers to take advantage of this vulnerability.
Why Publicly Exposed Machine Keys Are Dangerous
Previously, attackers sold stolen cryptographic keys in underground markets, but Microsoft now finds this case to be many freely exposed keys on public sites. It sure enhances the risks of exploitation.
The threats include:
- Developers could unwittingly copy exposed keys into genuinely existing projects, thereby rendering their applications exploitable.
- Attackers could set up a script to carry out attacks against the known keys, which would allow for widespread exploitation.
- One compromised key can cause a breach in multiple applications.
Recommendations From Microsoft Security
To defend against these attacks, Microsoft thus recommends that organizations carry out the following:
- Never use publicly available machine keys; generate application-specific keys at all times.
- To limit the risks of long-term exposure, regular updates and rotations to cryptographic keys should be put into practice.
- Check for exposed keys using Microsoft security tools and revoke any that are found.
- Securely upgrade ASP.NET applications to the most recent version, preferably ASP.NET 4.8, which will have the strongest security protections.
- Strengthening Windows Servers from persistent malwares through enabling security modules like Antimalware Scan Interface (AMSI) and attack surface reduction rules.
What to Do If a System Has Been Compromised
If an organization feels its servers are under attack, it is insufficient to merely replace machine keys to avert any subsequent attacks. Microsoft suggests:
1. To pay for a complete security investigation in order to search for backdoors and unauthorized users.
2. Clear all malicious scripts and files from the system.
3. Rebuild the server if necessary, to clear any other prospects of threats.
Organizations using ASP.NET applications in web farms should replace remaining machine keys with automatically generated values that are securely stored in the system registry.
Over 3,000 exposed cryptographic keys entail a major concern for cybersecurity since attacking groups can easily compromise web applications. Such a breach also becomes dreadful because it allows hackers to stay undetected in the system for long-spanning periods of time.
Thus, in a bid to stay safe, businesses and developers ought to avoid using public keys, update their security settings regularly and harden defenses against malware. Every step above can assist the organizations in keeping unauthorized people out thus securing their web applications against exploitation.
