Published on April 23rd, 2020 📆 | 8123 Views ⚑0
Hackers exploit these vulnerabilities to deploy backdoors
The U.S. National Security Agency (NSA) and the Australian Signals Directorate (ASD) have issued a joint report warning of threat actors increasingly exploiting vulnerable web servers to deploy web shells.
Web shells are malicious tools that hackers can deploy on a compromised internal or internet-exposed server to gain and maintain access, as well as remotely execute arbitrary commands, deliver additional malware payloads, and pivot to other devices within the network.
They can be uploaded onto vulnerable servers in a wide variety of forms, from programs specifically designed to provide web shell features and Perl, Ruby, Python, and Unix shell scripts to app plugins and PHP and ASP code snippets injected within a web app’s pages.
“Malicious cyber actors have increasingly leveraged web shells to gain or maintain access on victim networks,” the NSA said.
“This guidance will be useful for any network defenders responsible for maintaining web servers,” the ASD added.
Malicious cyber actors are actively using web shells in their intrusion campaigns.
— NSA/CSS (@NSAGov) April 22, 2020
Web shell detection, prevention, and mitigation
The 17-page long security advisory published by the two intelligence government agencies contains a wide range of information for security teams who want to detect hidden web shells, to manage the response and recovery processes after detecting web shells, and to block malicious actors from deploying such tools on unpatched servers.
The NSA has a dedicated GitHub repository containing tools that companies can use to detect and block web shell threats, and to prevent web shell deployment including:
“Cyber actors deploy web shells by exploiting web application vulnerabilities or uploading to otherwise compromised systems,” the two agencies said.
“Web shells can serve as persistent backdoors or as relay nodes to route attacker commands to other systems.
“Attackers frequently chain together web shells on multiple compromised systems to route traffic across networks, such as from internet-facing systems to internal networks.”
Vulnerabilities used to install web shells
Organizations are urged to patch their internet-facing and internal web apps immediately mitigate risks from ‘n-day’ vulnerabilities that attackers could take advantage of to compromise servers.
The NSA and the ASD list multiple security vulnerabilities commonly exploited by hackers to install web shell malware including Microsoft SharePoint, Citrix appliances, Atlassian software, Adobe ColdFusion, Zoho ManageEngine, the WordPress Social Warfare plugin, and the Progress Telerik UI app building toolkit.
Roughly 77,000 web shells tracked daily
To highlight just how popular web shells are these days among threat actors, a Microsoft report from February says that its Microsoft Defender Advanced Threat Protection (ATP) team “detects an average of 77,000 web shell and related artifacts on an average of 46,000 distinct machines.”
“Interestingly, we observed that attacks usually occur on weekends or during off-hours, when attacks are likely not immediately spotted and responded to,” Microsoft said.