Microsoft is advising users about a risky practice where application builders incorporate publicly-available ASP. NET system keys are obtained from publicly available resources, exposing the path of an attacker to their applications.
The risk intelligence team of the tech giant said it only saw limited activity in December of this year that involved an unidentified threat actor using a stable, publicly accessible ASP. NET device key to introduce malicious code and give the post-exploitation platform.
Additionally, it pointed out that it has identified over 3, 000 publicly available keys that it calls ViewState script treatment attacks and can use for these kinds of attacks.
These publicly disclosed secrets may pose a higher risk because they are stored in multiple code repositories and could have been pushed into growth code without modification, according to Microsoft, which is in contrast to previous known ViewState code treatment attacks that used compromised or stolen keys that are frequently sold on black online forums.
A technique used in the ASP is called ViewState. NET model to maintain section and power settings between postbacks. Additionally, this might contain program information particular to a website.
” By default, view status data is stored in the site in a hidden area and is encoded using base64 encoding”, Microsoft documents in its records. Additionally, a machine authentication code ( MAC ) key is used to create a hash of the view state data from the data. The stored see state data is then encoding the hash value into the page.
The purpose of using a hash value is to prevent malicious actors from modifying or corrupting see state data. However, if these keys are stolen or made available to unauthorised third-parties, it opens the door to a situation in which the danger professional can use them to take a destructive ViewState request and implement random code.
” When the request is processed by ASP. Because the right keys are used, Redmond noted that during NET Runtime on the targeted server, the ViewState is successfully decrypted and validated at runtime. The threat actor has the ability to execute remote code on the target IIS web server by loading malicious code into the worker process memory and running it.
Customers are urged to compare the machine keys used in their environments to those that Microsoft has provided a for the publicly disclosed machine keys. Additionally, it has been cautioned that merely rotating the keys won’t suffice in the event of a successful exploitation of publicly available keys because the threat actors may already have established persistence on the host.
It’s advised to not copy keys from publicly accessible sources and to regularly rotate keys in order to reduce the risk posed by such attacks. As a further step to deter threat actors, Microsoft said it removed key artifacts from “limited instances” where they were included in its documentation.
The development comes as the cloud security firm Aqua details an bypass that could be used to carry out unauthorized operations in Kubernetes environments, including deploying unauthorized container images.
According to researchers Yakir Kadkoda and Assaf Morag,” a security risk arises in the k8sallowedrepos policy” in an analysis shared with The Hacker News.
When users specify values in Constraint YAML files that conflict with Rego logic processing, this risk is increased even further. This mismatch can result in policy bypasses, making the restrictions ineffective”.