Conversation

Notices

1. Embed this notice
   buherator (buherator@infosec.place)'s status on Friday, 07-Feb-2025 20:56:45 JST buherator

   • Kevin Beaumont
   @GossiTheDog 1) 3000 is not a big number on the Internet (quality matters though) 2) This is an overestimation because not all keys are useful (as the captured text also implies)
   
   I haven't touched ASP.NET for a while, but I'd risk to say that app configuration also affects exploitability as i) not all apps rely on signed ViewState (IIRC) ii) deserialization gadgets are not universal.
   
   These are of course solvable problems, but still need to be taken into account for risk assessment.
   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 07-Feb-2025 16:23:38 JST Kevin Beaumont

     Microsoft released a blog this week which I don’t think people have fully understood the implications of, but it’s great research and a great attack by the threat actor.

     I think it’s highly likely multiple threat actors will now jump on this, it’s even automatable.

     The attack:

     1) take a web.config file. They’re really easy to find.
     2) POST request to RCE in IIS

     The architecture of .net means this is surprisingly easy to do and you don’t patch your way out of it.

     https://www.microsoft.com/en-us/security/blog/2025/02/06/code-injection-attacks-using-publicly-disclosed-asp-net-machine-keys/

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 07-Feb-2025 16:27:41 JST Kevin Beaumont

     in reply to

     I’ve bookmarked this thread so it doesn’t auto delete the toots, put it that way. You could just automate spraying the internet with this one.

   • Embed this notice
     buherator (buherator@infosec.place)'s status on Friday, 07-Feb-2025 17:35:04 JST buherator

     in reply to

     • Kevin Beaumont
     @GossiTheDog That is technically true, but scanners already look for exposed web.configs, so any affected, but not already exploited Internet-facing sites would be simultaneously extremely negligent and lucky.
     
     https://github.com/projectdiscovery/nuclei-templates/blob/2390fd195ab00f2bb1142dd27ac2ab888622d9bd/http/exposures/configs/web-config.yaml#L22
   • Embed this notice
     buherator (buherator@infosec.place)'s status on Saturday, 08-Feb-2025 02:17:09 JST buherator

     • Kevin Beaumont
     @GossiTheDog Forgive my ignorance, what is nom?
   • Embed this notice
     Taggart :donor: (mttaggart@infosec.exchange)'s status on Saturday, 08-Feb-2025 02:19:20 JST Taggart :donor:

     in reply to

     • Kevin Beaumont

     @GossiTheDog https://github.com/search?q=%3CmachineKey+path%3Aweb.config&type=code

   • Embed this notice
     buherator (buherator@infosec.place)'s status on Saturday, 08-Feb-2025 02:33:14 JST buherator

     • Kevin Beaumont
     @GossiTheDog Thanks! Now I'm more confused: npm does .NET these days? Or we're talking NuGet?
   • Embed this notice
     screaminggoat (screaminggoat@infosec.exchange)'s status on Saturday, 08-Feb-2025 03:13:43 JST screaminggoat

     in reply to

     • Kevin Beaumont
     • Zeljka Zorz

     @zeljkazorz @buherator @GossiTheDog ASEC's appears to be the closest and I'm trying to determine if Godzilla (web shell) and Godzilla (post-exploitation framework) are one and the same.

     This is the web shell version https://github.com/BeichenDream/Godzilla frequently referenced.

     Interestingly "19d87910d1a7ad9632161fd9dd6a54c8a059a64fc5f5a41cf5055cd37ec0499d" from Microsoft isn't hot yet on VirusTotal

   • Embed this notice
     buherator (buherator@infosec.place)'s status on Saturday, 08-Feb-2025 03:13:43 JST buherator

     in reply to

     • Kevin Beaumont
     • Zeljka Zorz
     • screaminggoat
     @screaminggoat @zeljkazorz @GossiTheDog "However, due to inadequate server configurations, attacks become possible if *the serialized data is not verified* (CWE-642)" - this sounds more like disabled MAC than leaked key to me
   • Embed this notice
     Zeljka Zorz (zeljkazorz@infosec.exchange)'s status on Saturday, 08-Feb-2025 03:13:44 JST Zeljka Zorz

     in reply to

     • Kevin Beaumont

     @buherator @GossiTheDog

     Is it possible that Broadcom/Symantec spotted these same attacks earlier?

     https://www.broadcom.com/support/security-center/protection-bulletin/godzilla-webshell-deployment-campaign

   • Embed this notice
     Zeljka Zorz (zeljkazorz@infosec.exchange)'s status on Saturday, 08-Feb-2025 03:13:44 JST Zeljka Zorz

     in reply to

     • Kevin Beaumont

     @buherator @GossiTheDog

     Or ASEC: https://asec.ahnlab.com/en/85088/

     They go in more detail, but mention ASP.NET environments with vulnerable configurations.

     Unfortunately, I don't know enough about ASP.NET to make an educated guess whether these attacks could be related.

   • Embed this notice
     Zeljka Zorz (zeljkazorz@infosec.exchange)'s status on Saturday, 08-Feb-2025 03:14:08 JST Zeljka Zorz

     in reply to

     • Kevin Beaumont
     • screaminggoat
     • buherator

     @buherator@infosec.place @GossiTheDog @screaminggoat

     Symantec says their protection bulletin was prompted by the AhnLab blog post.

     I believe @buherator is right. Whether Microsoft found a continuation of the same campaign, with a slightly different approach / toolset, is impossible to tell.

     Judging by the capabilities provided by the Godzilla post-exploitation framework and the Godzilla webshell, I wold venture to say that they are one and the same, only Microsoft used that particular expression (and did not elaborate on it, which means they expect the readers to be familiar with it already - i.e., it's known and documented).