Microsoft warns hackers have a new and devious way of distributing malware

News
By published

Are you using publicly available keys for ViewState?

A person using a laptop on a table.
(Image credit: Shutterstock/SFIO CRACHO)
  • ViewState code injection attacks can lead to remote code execution, Microsoft warned
  • Many devs are not generating their own machine keys for ViewState
  • There are thousands of publicly available keys cybercriminals can use

Cybercriminals are abusing a weakness in ASP.NET websites to remotely execute malicious code, according to Microsoft’s Threat Intelligence team, which has published an in-depth analysis on the new method.

In the article, Microsoft explained threat actors were injecting malicious code through a method called ViewState code injection attacks.

ViewState is a feature in ASP.NET websites that helps remember user input and page settings when the page is refreshed. It stores this information in a hidden part of the webpage so that when the user interacts with the page again, it can reload the saved data without losing anything.

Accepting malicious code

As it turns out, many developers are using machine keys (security codes designed to protect the website’s ViewState data) that they find online, rather than generating their own. These machine keys are intended to prevent tampering with ViewState, which tracks data on web pages as users interact with them.

However, if developers can find these keys, so can criminals. When they do, they can use them to inject harmful content into a website’s ViewState. Because the machine key is the same as the one the website expects, the server decrypts and processes the malicious code, allowing attackers to run their own commands on the server. This can lead to remote code execution, Microsoft warned.

The researchers found more than 3,000 publicly disclosed keys that can be used in these attacks. In some cases, the researchers added, developers might unknowingly push these public keys into their code, as well.

To prevent these attacks, Microsoft advises developers to generate their own machine keys, avoid using default or publicly available ones, and secure sensitive data by encrypting parts of their configuration files.

Upgrading to a newer version of ASP.NET is also recommended, as is using security features such as the Antimalware Scan Interface (AMSI).

Microsoft also provided instructions on how to remove or replace the insecure machine keys from the server's configuration files and removed examples of these keys from its public documentation to discourage the insecure practice.

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
Trojan
Hackers hide malware into website images to go unnoticed
The best free firewall
Microsoft fixes Power Pages security flaw, tells users to be on their guard
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
Robotic hand clicking on captcha 'I am not a robot'.
Double clicking danger - experts warn just two clicks can let attackers steal your accounts
Wordpress brand logo on computer screen. Man typing on the keyboard.
Thousands of WordPress sites targeted with malicious plugin backdoor attacks
Android Logo
Devious new Android malware uses a Microsoft tool to avoid being spotted
Latest in Security
NHS
NHS IT supplier hit with major fine following ransomware attack
Data leak
Top home hardware firm data leak could see millions of customers affected
Representational image depecting cybersecurity protection
Third-party security issues could be the biggest threat facing your business
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Android Logo
Devious new Android malware uses a Microsoft tool to avoid being spotted
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Latest in News
Waze voice control
Waze is ditching Google Assistant for Gemini on iOS, and for good reasons
Apple Watch Ultra 2 displaying a step count and distance
Using a smartwatch could be a game-changer for people with diabetes, new research suggests
Focal Bathys MG
Focal just upgraded its audiophile noise-cancelling wireless headphones with even better sound, better noise cancelling, and a way higher price
A PC gamer celebrating, sat in a gaming chair in front of a monitor
Windows 11’s Game Bar gets a fresh coat of paint, plus a tweak to work better on handhelds – and I like the direction Microsoft’s heading in here
NHS
NHS IT supplier hit with major fine following ransomware attack
A business woman looking at AI on a transparent screen
Most businesses are now fully embracing AI - but aren't always protected against the risks
More about security
NHS

NHS IT supplier hit with major fine following ransomware attack
Data leak

Top home hardware firm data leak could see millions of customers affected
Apple Watch Ultra 2 displaying a step count and distance

Using a smartwatch could be a game-changer for people with diabetes, new research suggests
See more latest
Most Popular
Apple Watch Ultra 2 displaying a step count and distance
Using a smartwatch could be a game-changer for people with diabetes, new research suggests
Focal Bathys MG
Focal just upgraded its audiophile noise-cancelling wireless headphones with even better sound, better noise cancelling, and a way higher price
Waze voice control
Waze is ditching Google Assistant for Gemini on iOS, and for good reasons
Garmin Fenix 8 vs Enduro 3 comparison
Garmin adds premium Garmin Connect+ tier with AI features – but promises your free experience ‘is not going away’
Microsoft Copilot combines the Microsoft 365 apps, Microsoft Graph and Artificial Intelligence. Isolated 3D logo on a surface
Microsoft adds Copilot AI features to Windows 11's Photos app - and I actually don't hate them
Nintendo Direct live blog.
Nintendo Direct live build-up: no Switch 2, but these are our predictions for what we could see
NHS
NHS IT supplier hit with major fine following ransomware attack
A PC gamer celebrating, sat in a gaming chair in front of a monitor
Windows 11’s Game Bar gets a fresh coat of paint, plus a tweak to work better on handhelds – and I like the direction Microsoft’s heading in here
inZOI.
inZOI early access won't feature Denuvo DRM after all, 'we are committed to making inZOI a highly moddable game'
The Samsung Galaxy S25 Edge on display the January 22, 2025 Galaxy Unpacked event.
All three rumored Samsung Galaxy S25 Edge colors shown off in ‘official’ images