A sophisticated attack method where hackers are exploiting a deserialization vulnerability in SharePoint to steal Internet Information Services (IIS) Machine Keys.
This enables attackers to bypass security measures, forge trusted data, and ultimately achieve persistent Remote Code Execution (RCE) on compromised servers.
According to SANS researcher Bojan Zdrnja, the attack begins with the exploitation of a known SharePoint deserialization vulnerability. While this vulnerability allows for arbitrary command execution, researchers have observed a specific pattern: attackers are using their initial access to upload a malicious ASPX file.
The primary function of this file is not to deploy traditional malware, but to extract the server’s IIS Machine Key.
An IIS Machine Key is a critical cryptographic component in ASP.NET applications. It is responsible for encrypting and validating sensitive data like VIEWSTATE, cookies, and session information, ensuring data integrity and protecting it from tampering, as the report reads.
VIEWSTATE, a mechanism used to preserve the state of a web page between user interactions, relies on this key for its security.
If an attacker successfully steals the Machine Key, they effectively hold the “master key” to the application’s security. The method of theft depends on how the key is stored.
In many environments, especially server farms, administrators store the key in plain text within the web.config file for easy synchronization. Attackers with file-read access can simply grab it.
However, even the default, more secure method of auto-generating the key and storing it in the Registry is not foolproof. The initial SharePoint exploit provides enough code execution privilege for an attacker to run a script capable of reading this key directly from the Registry.
Once in possession of the Machine Key, an attacker can use tools like ysoserial.net to craft a malicious VIEWSTATE object containing an RCE payload.
Because this payload is signed with the legitimate Machine Key, the IIS server trusts it, deserializes it, and executes the embedded code. This gives the attacker a persistent backdoor.
The malicious VIEWSTATE can be sent to any ASPX page within the application, not just the originally vulnerable one, and the access survives server reboots.
Administrators are being urged to take immediate action. The key takeaway is that if a server has suffered any form of unauthorized code execution, its Machine Key must be considered compromised and should be manually regenerated.
For detection, security teams should monitor Windows Application event logs for Event Code 4009. This event, which indicates a VIEWSTATE verification failure, is a strong indicator that an attacker is attempting to exploit the deserialization process with a forged payload.
Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches
