Cybercriminals have the ability to access IIS machine keys by taking advantage of a vulnerability in SharePoint’s deserialization process.

Hackers are employing a sophisticated attack method that exploits a deserialization vulnerability in SharePoint to steal Internet Information Services (IIS) Machine Keys. This exploitation allows attackers to bypass security measures, forge trusted data, and ultimately achieve persistent Remote Code Execution (RCE) on compromised servers. According to SANS researcher Bojan Zdrnja, the attack initiates with the exploitation of a known SharePoint deserialization vulnerability. While this vulnerability permits arbitrary command execution, researchers have noted a specific pattern: attackers leverage their initial access to upload a malicious ASPX file. The primary purpose of this file is not to deploy traditional malware but to extract the server’s IIS Machine Key, a critical cryptographic component in ASP.NET applications responsible for encrypting and validating sensitive data such as VIEWSTATE, cookies, and session information.

If an attacker successfully acquires the Machine Key, they effectively possess the “master key” to the application’s security. The method of theft varies based on how the key is stored. In many environments, particularly server farms, administrators often store the key in plain text within the web.config file for ease of synchronisation, making it accessible to attackers with file-read access. Even the more secure method of auto-generating the key and storing it in the Registry is not immune to exploitation. The initial SharePoint exploit grants sufficient code execution privileges for an attacker to run a script that can read this key directly from the Registry. Once in possession of the Machine Key, attackers can utilise tools like ysoserial.net to create a malicious VIEWSTATE object containing an RCE payload. Since this payload is signed with the legitimate Machine Key, the IIS server trusts it, deserialises it, and executes the embedded code, providing the attacker with a persistent backdoor. The malicious VIEWSTATE can be sent to any ASPX page within the application, ensuring that access persists even after server reboots. Administrators are urged to take immediate action, as any server that has experienced unauthorized code execution must consider its Machine Key compromised and should be manually regenerated. For detection, security teams should monitor Windows Application event logs for Event Code 4009, which indicates a VIEWSTATE verification failure and serves as a strong indicator of an attempted exploitation of the deserialization process with a forged payload.