__VIEWSTATE and can be signed and encrypted with keys, called ValidationKey and DecryptionKey, stored in the application configuration file.If these keys are stolen or leaked, attackers can use them to craft malicious ViewState payloads inside POST requests that the server will then decrypt, validate, and execute by loading them into the memory of its worker process.These attacks are known as ViewState code injection or ViewState deserialization and are not new. Microsoft warned in December that it had seen in-the-wild attacks leveraging this technique and had identified over 3,000 publicly disclosed machine keys that could be abused.The attack investigated by Mandiant exploited such a key that was included as a sample in deployment instructions dating back to 2017 for Sitecore XP 9.0 or earlier and Active Directory 1.4. Sitecore’s newer deployments generate unique keys for every installation, but users who deployed their instances using the old deployment guides and used the sample keys should now check their installations for signs of compromise.
From initial access to full server compromise: The threat actor behind the incident investigated by Mandiant exploited CVE-2025-53690 to inject a .NET assembly called Information.dll through ViewState. This information-gathering tool, which Mandiant tracks as WEEPSTEEL, is similar to the GhostContainer backdoor.As part of the attack, WEEPSTEEL was used to gather information about the system and users and to give the attackers the NETWORK SERVICE privilege on the system, which is the account the Microsoft IIS worker process uses. This allowed them to exfiltrate configuration files from the application that contained sensitive information.The attackers then downloaded additional tools previously staged in the Music and Video directories. These tools included the 7za.exe archiving utility, a SOCKS v5 tunneling tool that Mandiant tracks as EARTHWORM, VBS scripts that contain malicious commands, as well as various privilege escalation tools.The privilege escalation tools allowed the attackers to gain SYSTEM privileges and create additional accounts on the system, including administrative ones called asp$ and sawadmin. Additional tools that were deployed and used with these accounts included a remote access tool called DWAGENT and a user token-stealing tool called GoToken.exe.The attackers also used their access to dump the SYSTEM and SAM registry hives to extract password hashes for all the local users configured on the system. This information was used to start lateral movement via Remote Desktop Protocol (RDP) sessions. The SHARPHOUND tool that’s part of the BloodHound Active Directory analysis framework was also deployed.The attackers managed to jump to other systems on the network by using RDP and the account credentials they collected. The EARTHWORM tunneling tool was also deployed on those systems.
Mitigation: Sitecore users who believe their deployments might be affected should immediately examine their environments for signs of compromise and malware. The Mandiant report includes indicators of compromise that can be used to build detection signatures.Users should also rotate the machines keys within their web.config files and ensure that any <machineKey> elements in their config files are encrypted. The web.config file should be configured to be accessible to application administrators and machine keys should be automatically rotated following Microsoft’s ASP.NET ViewState security guidance.
web.config files and ensure that any <machineKey> elements in their config files are encrypted. The web.config file should be configured to be accessible to application administrators and machine keys should be automatically rotated following Microsoft’s ASP.NET ViewState security guidance.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4051801/sitecore-zero-day-configuration-flaw-under-active-exploitation.html
