Security scientists at Microsoft have warned that the range of tools used in web shell attacks appears to be growing, and the range of web shell attacks has accelerated.
“Every month from August 2020 to January 2021, we registered an common of 140,000 encounters of these threats on servers, practically double the 77,000 monthly common we noticed last calendar year,” scientists mentioned.
Scientists mentioned the rising recognition of web shells may well be owing to how easy and efficient they can be for attackers. A web shell is typically a modest piece of malicious code written in typical web progress programming languages (e.g., ASP, PHP, JSP) that attackers implant on web servers to provide remote accessibility and code execution to server features.
“Web shells allow for attackers to run instructions on servers to steal information or use the server as a launchpad for other functions like credential theft, lateral movement, deployment of additional payloads, or fingers-on-keyboard action when enabling attackers to persist in an afflicted firm,” in accordance to the Microsoft scientists.
Microsoft mentioned hackers have been setting up web shells on servers by using advantage of security gaps, these types of as web application flaws in internet-dealing with servers. The hackers uncover these servers by using authentic lookup engines, this sort of as shodan.io.
Hackers are progressively using web shells because they can persist in a victim’s network.
“Web shells ensure that a backdoor exists in a compromised network simply because an attacker leaves a malicious implant following setting up an first foothold on a server. If still left undetected, web shells give a way for attackers to go on to collect facts from and monetize the networks that they have access to,” mentioned scientists. They additional that locating and getting rid of all backdoors is a critical element of compromise recovery.
According to researchers, there are key difficulties to discovering this kind of tools in the infrastructure. Hackers can make web shells applying numerous web software languages. Another dilemma in detection is discovering the seemingly innocuous web shell’s intent.
“A harmless-seeming script can be destructive dependent on intent. But when attackers can add arbitrary input data files in the web directory, then they can add a comprehensive-showcased web shell that lets arbitrary code execution—which some pretty simple web shells do,” researchers said.
A single closing difficulty in detection is hackers’ means to hide web shells in non-executable file formats, this kind of as media documents.
“Attackers can disguise web shell scripts in a photo and add it to a web server. When this file is loaded and analyzed on a workstation, the photo is harmless. But when a web browser asks a server for this file, destructive code executes server-side,” mentioned scientists.
Microsoft made a slate of recommendations to companies on how to safe systems versus web shell attacks, such as pinpointing and remediating vulnerabilities or misconfigurations in web programs and web servers, as nicely as utilizing proper segmentation of a perimeter network so a compromised web server does not lead to the compromise of the company network.
Some elements of this report are sourced from: