An unattributed threat actor has been observed exploiting publicly disclosed ASP.NET machine keys to perform ViewState code injection attacks, delivering the Godzilla post-exploitation framework. Over 3,000 publicly disclosed keys have been identified as potentially vulnerable to this attack method. The attack chain involves crafting malicious ViewState data using stolen keys, sending it to the target website via POST request, and executing malicious code on the IIS web server. Microsoft recommends against using publicly available keys, regular key rotation, and provides detection and mitigation strategies. Affected organizations should investigate for possible backdoors or persistence methods established by threat actors. Author: AlienVault
Related Tags:
asp.net
web servers
post-exploitation
iis
viewstate
godzilla
code injection
T1505.003
T1059
Associated Indicators:
null