IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Microsoft is concerned with escalating web shell attacks

140,000 malware tools discovered on average every month

Security researchers at Microsoft have warned that the number of tools used in web shell attacks appears to be increasing, and the number of web shell attacks has accelerated.

“Every month from August 2020 to January 2021, we registered an average of 140,000 encounters of these threats on servers, almost double the 77,000 monthly average we saw last year,” researchers said.

Researchers said the increasing popularity of web shells might be due to how simple and effective they can be for attackers. A web shell is typically a small piece of malicious code written in typical web development programming languages (e.g., ASP, PHP, JSP) that attackers implant on web servers to provide remote access and code execution to server functions.

“Web shells allow attackers to run commands on servers to steal data or use the server as a launchpad for other activities like credential theft, lateral movement, deployment of additional payloads, or hands-on-keyboard activity while allowing attackers to persist in an affected organization,” according to the Microsoft researchers.

Microsoft said hackers were installing web shells on servers by taking advantage of security gaps, such as web application flaws in internet-facing servers. The hackers find these servers via legitimate search engines, such as shodan.io.

Hackers are increasingly using web shells because they can persist in a victim’s network.

“Web shells guarantee that a backdoor exists in a compromised network because an attacker leaves a malicious implant after establishing an initial foothold on a server. If left undetected, web shells provide a way for attackers to continue to gather data from and monetize the networks that they have access to,” said researchers. They added that finding and removing all backdoors is a critical aspect of compromise recovery.

According to researchers, there are major challenges to discovering such tools in the infrastructure. Hackers can create web shells using several web application languages. Another problem in detection is discovering the seemingly innocuous web shell’s intent.

“A harmless-seeming script can be malicious depending on intent. But when attackers can upload arbitrary input files in the web directory, then they can upload a full-featured web shell that allows arbitrary code execution—which some very simple web shells do,” researchers said.

One final problem in detection is hackers’ ability to hide web shells in non-executable file formats, such as media files.

“Attackers can hide web shell scripts within a photo and upload it to a web server. When this file is loaded and analyzed on a workstation, the photo is harmless. But when a web browser asks a server for this file, malicious code executes server-side,” said researchers.

Microsoft made a slate of recommendations to organizations on how to secure systems against web shell attacks, such as identifying and remediating vulnerabilities or misconfigurations in web applications and web servers, as well as implementing proper segmentation of a perimeter network so a compromised web server doesn’t lead to the compromise of the enterprise network.

Featured Resources

Meeting the future of education with confidence

How the switch to digital learning has created an opportunity to meet the needs of every student, always

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

Technology reimagined

Why PCaaS is perfect for modern schools

Free Download

Recommended

Microsoft reportedly blocks Russian Windows 10 and Windows 11 downloads
Microsoft Windows

Microsoft reportedly blocks Russian Windows 10 and Windows 11 downloads

20 Jun 2022
IT Pro News in Review: UK tech raises $16bn, Microsoft acquires Miburo, largest DDoS attack mitigated
Business strategy

IT Pro News in Review: UK tech raises $16bn, Microsoft acquires Miburo, largest DDoS attack mitigated

17 Jun 2022
Proofpoint details 'dangerous' ransomware flaw in SharePoint and OneDrive
ransomware

Proofpoint details 'dangerous' ransomware flaw in SharePoint and OneDrive

17 Jun 2022
Microsoft silent patches called “a grossly irresponsible policy”
cyber security

Microsoft silent patches called “a grossly irresponsible policy”

15 Jun 2022

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

7 Jun 2022
Delivery firm Yodel disrupted by cyber attack
cyber attacks

Delivery firm Yodel disrupted by cyber attack

21 Jun 2022
Salaries for the least popular programming languages surge as much as 44%
Development

Salaries for the least popular programming languages surge as much as 44%

23 Jun 2022