Security researchers at Microsoft have warned that the number of tools used in web shell attacks appears to be increasing, and the number of web shell attacks has accelerated.
“Every month from August 2020 to January 2021, we registered an average of 140,000 encounters of these threats on servers, almost double the 77,000 monthly average we saw last year,” researchers said.
Researchers said the increasing popularity of web shells might be due to how simple and effective they can be for attackers. A web shell is typically a small piece of malicious code written in typical web development programming languages (e.g., ASP, PHP, JSP) that attackers implant on web servers to provide remote access and code execution to server functions.
“Web shells allow attackers to run commands on servers to steal data or use the server as a launchpad for other activities like credential theft, lateral movement, deployment of additional payloads, or hands-on-keyboard activity while allowing attackers to persist in an affected organization,” according to the Microsoft researchers.
Microsoft said hackers were installing web shells on servers by taking advantage of security gaps, such as web application flaws in internet-facing servers. The hackers find these servers via legitimate search engines, such as shodan.io.
Hackers are increasingly using web shells because they can persist in a victim’s network.
“Web shells guarantee that a backdoor exists in a compromised network because an attacker leaves a malicious implant after establishing an initial foothold on a server. If left undetected, web shells provide a way for attackers to continue to gather data from and monetize the networks that they have access to,” said researchers. They added that finding and removing all backdoors is a critical aspect of compromise recovery.
According to researchers, there are major challenges to discovering such tools in the infrastructure. Hackers can create web shells using several web application languages. Another problem in detection is discovering the seemingly innocuous web shell’s intent.
“A harmless-seeming script can be malicious depending on intent. But when attackers can upload arbitrary input files in the web directory, then they can upload a full-featured web shell that allows arbitrary code execution—which some very simple web shells do,” researchers said.
One final problem in detection is hackers’ ability to hide web shells in non-executable file formats, such as media files.
“Attackers can hide web shell scripts within a photo and upload it to a web server. When this file is loaded and analyzed on a workstation, the photo is harmless. But when a web browser asks a server for this file, malicious code executes server-side,” said researchers.
Microsoft made a slate of recommendations to organizations on how to secure systems against web shell attacks, such as identifying and remediating vulnerabilities or misconfigurations in web applications and web servers, as well as implementing proper segmentation of a perimeter network so a compromised web server doesn’t lead to the compromise of the enterprise network.
