Microsoft is concerned with escalating web shell attacks

140,000 malware tools discovered on average every month

Unknown hacker on a computer in a dark room

Security researchers at Microsoft have warned that the number of tools used in web shell attacks appears to be increasing, and the number of web shell attacks has accelerated.

“Every month from August 2020 to January 2021, we registered an average of 140,000 encounters of these threats on servers, almost double the 77,000 monthly average we saw last year,” researchers said.

Researchers said the increasing popularity of web shells might be due to how simple and effective they can be for attackers. A web shell is typically a small piece of malicious code written in typical web development programming languages (e.g., ASP, PHP, JSP) that attackers implant on web servers to provide remote access and code execution to server functions.

“Web shells allow attackers to run commands on servers to steal data or use the server as a launchpad for other activities like credential theft, lateral movement, deployment of additional payloads, or hands-on-keyboard activity while allowing attackers to persist in an affected organization,” according to the Microsoft researchers.

Microsoft said hackers were installing web shells on servers by taking advantage of security gaps, such as web application flaws in internet-facing servers. The hackers find these servers via legitimate search engines, such as shodan.io.

Hackers are increasingly using web shells because they can persist in a victim’s network.

“Web shells guarantee that a backdoor exists in a compromised network because an attacker leaves a malicious implant after establishing an initial foothold on a server. If left undetected, web shells provide a way for attackers to continue to gather data from and monetize the networks that they have access to,” said researchers. They added that finding and removing all backdoors is a critical aspect of compromise recovery.

According to researchers, there are major challenges to discovering such tools in the infrastructure. Hackers can create web shells using several web application languages. Another problem in detection is discovering the seemingly innocuous web shell’s intent.

“A harmless-seeming script can be malicious depending on intent. But when attackers can upload arbitrary input files in the web directory, then they can upload a full-featured web shell that allows arbitrary code execution—which some very simple web shells do,” researchers said.

One final problem in detection is hackers’ ability to hide web shells in non-executable file formats, such as media files.

“Attackers can hide web shell scripts within a photo and upload it to a web server. When this file is loaded and analyzed on a workstation, the photo is harmless. But when a web browser asks a server for this file, malicious code executes server-side,” said researchers.

Microsoft made a slate of recommendations to organizations on how to secure systems against web shell attacks, such as identifying and remediating vulnerabilities or misconfigurations in web applications and web servers, as well as implementing proper segmentation of a perimeter network so a compromised web server doesn’t lead to the compromise of the enterprise network.

Featured Resources

How to be an MSP: Seven steps to success

Building your business from the ground up

Download now

The smart buyer’s guide to flash

Find out whether flash storage is right for your business

Download now

How MSPs build outperforming sales teams

The definitive guide to sales

Download now

The business guide to ransomware

Everything you need to know to keep your company afloat

Download now

Recommended

Colonial Pipeline reportedly paid $5 million ransom
Security

Colonial Pipeline reportedly paid $5 million ransom

13 May 2021
Report finds ransomware hitting manufacturers hardest
hacking

Report finds ransomware hitting manufacturers hardest

13 May 2021
Over two-thirds of companies still run software with WannaCry flaw
WannaCry

Over two-thirds of companies still run software with WannaCry flaw

12 May 2021
IT researcher finds widespread flaws in Wi-Fi security
wifi & hotspots

IT researcher finds widespread flaws in Wi-Fi security

12 May 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
Dell XPS 17 (2021) review: A big laptop for big jobs
Laptops

Dell XPS 17 (2021) review: A big laptop for big jobs

10 May 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021