Cybersecurity researchers have uncovered a large-scale attack campaign where hackers are abusing ASP.NET machine keys to compromise Microsoft Internet Information Services (IIS) servers. This new wave of intrusions, attributed to the threat group REF3927, leverages publicly exposed or leaked machine keys to generate malicious ViewState payloads capable of remote code execution. The ongoing exploitation underscores how misconfigured web applications and weak key management can cascade into enterprise-wide compromise.
How the Attack Works
The attackers identify websites that use default or leaked ASP.NET machine keys – crucial cryptographic values that secure ViewState data and authentication tokens. Once found, they:
- Craft malicious ViewState payloads signed with the compromised key.
- Inject the payload into web requests, exploiting IIS to execute arbitrary commands.
- Deploy post-exploitation tools, including TOLLBOOTH, which hijacks web traffic and redirects it to attacker-controlled sites for monetization.
- Establish persistence, using scheduled tasks and registry modifications to maintain long-term access.
Security analysts found several keys publicly posted in online repositories and documentation samples, allowing attackers to target servers en masse.
Why This Attack Matters
The exploitation of machine keys reveals a serious supply-chain and configuration flaw rather than a software vulnerability. It affects a wide range of industries that rely on IIS for hosting mission-critical web applications.
- Financial Services – Banking and payment applications running on IIS could have transaction data or credentials compromised.
- Healthcare – Patient management portals and health information systems risk unauthorized data access.
- Retail – E-commerce sites face data theft, SEO hijacking, and fraudulent traffic redirection.
- Manufacturing – Compromised web dashboards and IoT control systems may expose production or supply-chain details.
- Government – Public sector web portals, once compromised, could serve as launch points for disinformation or surveillance.
Because the exploit uses legitimate server functions, it often bypasses traditional antivirus and intrusion detection mechanisms.
Recommended Actions
1. Rotate and protect machine keys– Treat them as secrets. Store in vaults, never in plain text, and ensure each application instance has a unique key.
2. Update and patch IIS servers– Apply the latest Microsoft security patches and disable legacy ViewState MAC validation where possible.
3. Harden configurations– Disable debug and verbose error settings. Enforce least-privilege for IIS application pools.
4. Monitor for anomalies– Look for unusual ViewState deserialization patterns, TOLLBOOTH artifacts, or unexpected HTTP traffic spikes.
5. Conduct regular penetration testing – Validate your web server configurations and identify leaked or default keys early.
6. Deploy Web Application Firewalls (WAFs)– Block tampered ViewState payloads and enforce integrity validation.
7. Train developers and admins – Educate teams about machine key risks and secure cryptographic practices.
Conclusion
This campaign is a stark reminder that configuration security is just as critical as patch management. A single leaked or reused cryptographic key can open doors to complete system takeover. As organizations increasingly depend on cloud and web-based architectures, the need for rigorous configuration governance and web-layer protection has never been greater.
About COE Security
COE Security partners with organizations in financial services, healthcare, retail, manufacturing, and government to secure AI-powered systems and ensure compliance. Our offerings include:
- AI-enhanced threat detection and real-time monitoring
- Data governance aligned with GDPR, HIPAA, and PCI DSS
- Secure model validation to guard against adversarial attacks
- Customized training to embed AI security best practices
- Penetration Testing (Mobile, Web, AI, Product, IoT, Network & Cloud)
- Secure Software Development Consulting (SSDLC)
- Customized CyberSecurity Services
In light of emerging threats like machine key exploitation, COE Security also assists clients with web application hardening, cryptographic key lifecycle management, secure configuration audits, and continuous compliance monitoring to safeguard critical systems.
Follow COE Security on LinkedIn for ongoing insights into safe, compliant AI adoption – and stay updated and cyber safe.