Microsoft released a blog this week which I don’t think people have fully understood the implications of, but it’s great research and a great attack by the threat actor.
I think it’s highly likely multiple threat actors will now jump on this, it’s even automatable.
The attack:
1) take a web.config file. They’re really easy to find.
2) POST request to RCE in IIS
The architecture of .net means this is surprisingly easy to do and you don’t patch your way out of it.
https://www.microsoft.com/en-us/security/blog/2025/02/06/code-injection-attacks-using-publicly-disclosed-asp-net-machine-keys/
Kevin Beaumont /
npub176…fkwlw
2025-02-07 07:23:31
Author Public Key
npub176rs4lx7gjqwepgg75psfpv7zjj3xz0lyj4n7rux93ftm390sars6fkwlwSeen on
wss://relay.mostr.pubPublished at
2025-02-07 07:23:31Event JSON
{
"id": "5d88b5b2e950ee75cfdf26d326d46079421f26543509cb5f2016dc49d8b8c672",
"pubkey": "f6870afcde4480ec8508f50304859e14a51309ff24ab3f0f862c52bdc4af8747",
"created_at": 1738913011,
"kind": 1,
"tags": [
[
"proxy",
"https://cyberplace.social/users/GossiTheDog/statuses/113961403097238349",
"activitypub"
]
],
"content": "Microsoft released a blog this week which I don’t think people have fully understood the implications of, but it’s great research and a great attack by the threat actor. \n\nI think it’s highly likely multiple threat actors will now jump on this, it’s even automatable.\n\nThe attack: \n\n1) take a web.config file. They’re really easy to find. \n2) POST request to RCE in IIS \n\nThe architecture of .net means this is surprisingly easy to do and you don’t patch your way out of it.\n\nhttps://www.microsoft.com/en-us/security/blog/2025/02/06/code-injection-attacks-using-publicly-disclosed-asp-net-machine-keys/",
"sig": "6f6349c0b0a9a5a4bcaae8998a288ed918a4e70ac8beeb2747b1b700d9ebb0454a3972784a9e3f84ffcd4a44718bed94e49a3db0fc27887f5f2a8cfc7849f68f"
}