February 6, 2025 By Sergiu Gatlan
Microsoft warns that attackers are deploying malware in ViewState code injection attacks using static ASP. NET machine keys found online.
As Microsoft Threat Intelligence experts recently discovered, some developers use ASP.NET validationKey and decryptionKey keys (designed to protect ViewState from tampering and information disclosure) found on code documentation and repository platforms in their own software.
However, threat actors also use machine keys from publicly available sources in code injection attacks to create malicious ViewStates (used by ASP.NET Web Forms to control state and preserve pages) by attaching crafted message authentication code (MAC).
When loading the ViewStates sent via POST requests, the ASP.NET Runtime on the targeted server decrypts and validates the attackers' maliciously crafted ViewState data because it uses the right keys, loads it into the worker process memory, and executes it.