Palo Alto Networks’ Unit 42 reports that a threat actor dubbed TGR-CRI-0045 is using ASP.NET View State deserialization to compromise Internet Information Services (IIS) servers and gain long-term access to targeted organizations.
The attackers sign malicious payloads with compromised machine keys to give unauthorized access to targeted servers in a technique called ASP.NET View State deserialization.
View State is an authentication mechanism holding user-specific data for preserved user state across requests on an IIS server.
Palo Alto Networks has released a report with detailed information about TGR-CRI-0045’s tools, infrastructure and methods of maintaining access to the exploited systems.
The report advises organizations to review Microsoft’s guidance on identifying and remediating compromised Machine Keys for ASP.NET Internet Information Services (IIS) sites.
