Microsoft is concerned with escalating web shell attacks

140,000 malware tools discovered on average every month

Unknown hacker on a computer in a dark room

Security researchers at Microsoft have warned that the number of tools used in web shell attacks appears to be increasing, and the number of web shell attacks has accelerated.

“Every month from August 2020 to January 2021, we registered an average of 140,000 encounters of these threats on servers, almost double the 77,000 monthly average we saw last year,” researchers said.

Researchers said the increasing popularity of web shells might be due to how simple and effective they can be for attackers. A web shell is typically a small piece of malicious code written in typical web development programming languages (e.g., ASP, PHP, JSP) that attackers implant on web servers to provide remote access and code execution to server functions.

“Web shells allow attackers to run commands on servers to steal data or use the server as a launchpad for other activities like credential theft, lateral movement, deployment of additional payloads, or hands-on-keyboard activity while allowing attackers to persist in an affected organization,” according to the Microsoft researchers.

Microsoft said hackers were installing web shells on servers by taking advantage of security gaps, such as web application flaws in internet-facing servers. The hackers find these servers via legitimate search engines, such as shodan.io.

Hackers are increasingly using web shells because they can persist in a victim’s network.

“Web shells guarantee that a backdoor exists in a compromised network because an attacker leaves a malicious implant after establishing an initial foothold on a server. If left undetected, web shells provide a way for attackers to continue to gather data from and monetize the networks that they have access to,” said researchers. They added that finding and removing all backdoors is a critical aspect of compromise recovery.

According to researchers, there are major challenges to discovering such tools in the infrastructure. Hackers can create web shells using several web application languages. Another problem in detection is discovering the seemingly innocuous web shell’s intent.

“A harmless-seeming script can be malicious depending on intent. But when attackers can upload arbitrary input files in the web directory, then they can upload a full-featured web shell that allows arbitrary code execution—which some very simple web shells do,” researchers said.

One final problem in detection is hackers’ ability to hide web shells in non-executable file formats, such as media files.

“Attackers can hide web shell scripts within a photo and upload it to a web server. When this file is loaded and analyzed on a workstation, the photo is harmless. But when a web browser asks a server for this file, malicious code executes server-side,” said researchers.

Microsoft made a slate of recommendations to organizations on how to secure systems against web shell attacks, such as identifying and remediating vulnerabilities or misconfigurations in web applications and web servers, as well as implementing proper segmentation of a perimeter network so a compromised web server doesn’t lead to the compromise of the enterprise network.

Featured Resources

Choosing a collaboration platform

Eight questions every IT leader should ask

Download now

Performance benchmark: PostgreSQL/ MongoDB

Helping developers choose a database

Download now

Customer service vs. customer experience

Three-step guide to modern customer experience

Download now

Taking a proactive approach to cyber security

A complete guide to penetration testing

Download now

Recommended

HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021
Mastering endpoint security implementation
Security

Mastering endpoint security implementation

16 Apr 2021
US, UK say Russia was behind SolarWinds hack
cyber attacks

US, UK say Russia was behind SolarWinds hack

16 Apr 2021
Biden looks to shore up the electrical grid’s cyber security
Security

Biden looks to shore up the electrical grid’s cyber security

15 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021
UK exploring plans to launch its own digital currency
digital currency

UK exploring plans to launch its own digital currency

19 Apr 2021