Microsoft is concerned with escalating web shell attacks

140,000 malware tools discovered on average every month

Security researchers at Microsoft have warned that the number of tools used in web shell attacks appears to be increasing, and the number of web shell attacks has accelerated.

“Every month from August 2020 to January 2021, we registered an average of 140,000 encounters of these threats on servers, almost double the 77,000 monthly average we saw last year,” researchers said.

Researchers said the increasing popularity of web shells might be due to how simple and effective they can be for attackers. A web shell is typically a small piece of malicious code written in typical web development programming languages (e.g., ASP, PHP, JSP) that attackers implant on web servers to provide remote access and code execution to server functions.

“Web shells allow attackers to run commands on servers to steal data or use the server as a launchpad for other activities like credential theft, lateral movement, deployment of additional payloads, or hands-on-keyboard activity while allowing attackers to persist in an affected organization,” according to the Microsoft researchers.

Microsoft said hackers were installing web shells on servers by taking advantage of security gaps, such as web application flaws in internet-facing servers. The hackers find these servers via legitimate search engines, such as shodan.io.

Hackers are increasingly using web shells because they can persist in a victim’s network.

“Web shells guarantee that a backdoor exists in a compromised network because an attacker leaves a malicious implant after establishing an initial foothold on a server. If left undetected, web shells provide a way for attackers to continue to gather data from and monetize the networks that they have access to,” said researchers. They added that finding and removing all backdoors is a critical aspect of compromise recovery.

According to researchers, there are major challenges to discovering such tools in the infrastructure. Hackers can create web shells using several web application languages. Another problem in detection is discovering the seemingly innocuous web shell’s intent.

“A harmless-seeming script can be malicious depending on intent. But when attackers can upload arbitrary input files in the web directory, then they can upload a full-featured web shell that allows arbitrary code execution—which some very simple web shells do,” researchers said.

One final problem in detection is hackers’ ability to hide web shells in non-executable file formats, such as media files.

“Attackers can hide web shell scripts within a photo and upload it to a web server. When this file is loaded and analyzed on a workstation, the photo is harmless. But when a web browser asks a server for this file, malicious code executes server-side,” said researchers.

Microsoft made a slate of recommendations to organizations on how to secure systems against web shell attacks, such as identifying and remediating vulnerabilities or misconfigurations in web applications and web servers, as well as implementing proper segmentation of a perimeter network so a compromised web server doesn’t lead to the compromise of the enterprise network.

Featured Resources

Next-generation time series: Forecasting for the real world, not the ideal world

Solve time series problems with AI

Free download

The future of productivity

Driving your business forward with Microsoft Office 365

Free download

How to plan for endpoint security against ever-evolving cyber threats

Safeguard your devices, data, and reputation

Free download

A quantitative comparison of UPS monitoring and servicing approaches across edge environments

Effective UPS fleet management

Free download

Recommended

Microsoft launches platform to help firms monitor carbon emissions
cloud computing

Microsoft launches platform to help firms monitor carbon emissions

27 Oct 2021
Google and Microsoft smash estimates on strong cloud growth
Cloud

Google and Microsoft smash estimates on strong cloud growth

27 Oct 2021
Microsoft resellers warned of Nobelium attacks on IT supply chain
cyber attacks

Microsoft resellers warned of Nobelium attacks on IT supply chain

25 Oct 2021
AMD and Microsoft fix Ryzen performance in Windows 11
Hardware

AMD and Microsoft fix Ryzen performance in Windows 11

22 Oct 2021

Most Popular

UK spy agencies supercharge espionage efforts with AWS data deal
cloud computing

UK spy agencies supercharge espionage efforts with AWS data deal

26 Oct 2021
Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Cryptocurrency: Should you invest?
cryptocurrencies

Cryptocurrency: Should you invest?

27 Oct 2021