Getty Images
Microsoft security personnel are seeing a huge increase in the use of Web shells, the lightweight programs that hackers install so they can penetrate even more compromised websites.
The average number of Web shells installed from August 2020 to January this year was 144,000, almost double the same months in 2019 and 2020. The peak represents an acceleration in growth that the same Microsoft researchers saw over the past year .
Microsoft
A Swiss army knife for hackers
Growth is a sign of how these simple programs can be useful and difficult to detect. A Web shell is an interface that allows hackers to execute standard commands on Web servers, once the servers have been compromised. Web shells are built using web-based programming languages, such as PHP, JSP or ASP. Command interfaces work in the same way as browsers.
Once installed successfully, Web shells allow remote hackers to do almost everything that legitimate administrators can do. Hackers can use them to execute commands that steal data, execute malicious code and provide system information that allows for even more lateral movement on a compromised network. Programs can also provide a persistent means of backdoor access that, despite their effectiveness, remains surprisingly difficult to detect.
In a blog post published on Thursday, members of the Microsoft Detection and Response Team and the Microsoft 365 Defender Research Team wrote:
Once installed on a server, web shells work as one of the most effective means of persistence in an enterprise. We often see cases where web shells are used only as a persistence mechanism. Web shells guarantee the existence of a backdoor on a compromised network, because an attacker leaves a malicious implant after establishing an initial base on a server. If not detected, web shells provide a way for attackers to continue to collect data and monetize the networks to which they have access.
Compromise recovery cannot be successful and lasting without locating and removing the attacker’s persistence mechanisms. And while rebuilding a single compromised system is a great solution, restoring existing assets is the only viable option for many. Therefore, finding and removing all backdoors is a critical aspect of compromise recovery.
Case studies
In early July, the Metasploit hacking framework added a module that exploited a critical vulnerability in the Big-IP advanced delivery controller, an F5-made device that is typically placed between a perimeter firewall and a web application to handle load balancing and other tasks. A day later, Microsoft researchers began to see hackers using the exploit to install Web shells on vulnerable servers.
Initially, hackers used Web shells to install malware that harnessed the computing power of servers to mine cryptocurrencies. Less than a week later, researchers saw hackers exploiting the vulnerability of Big-IP to install Web shells for a much wider variety of uses on servers owned by both the U.S. government and the private industry.
In another case last year, Microsoft said it conducted an incident response after a public sector organization found that hackers had installed a Web shell on one of its Internet-facing servers. The hackers “loaded a Web shell into multiple folders on the Web server, leading to subsequent compromise of service accounts and domain administrator accounts,” wrote Microsoft researchers. “This allowed attackers to conduct reconnaissance using net.exe, search for additional target systems using nbtstat.exeand eventually move laterally using PsExec. “
The hackers started to install a backdoor on an Outlook server that intercepted all incoming and outgoing emails, performed additional recognition and downloaded other malicious charges. Among other things, the hack allowed hackers to send special emails that the backdoor interpreted as commands.
Needle in a haystack
Because they use standard web development languages, web shells can be difficult to detect. To increase the difficulty, Web shells have several ways to execute commands. Attackers can also hide commands within user agent strings and parameters that are passed during an exchange between an attacker and the compromised website. As if that were not enough, web shells can be stored within media files or other non-executable file formats.
“When this file is loaded and analyzed on a workstation, the photo is harmless,” wrote Microsoft researchers. “But when a web browser requests this file from a server, the malicious code is executed on the server side. These challenges in detecting Web shells contribute to its growing popularity as an attack tool. “
Thursday’s post lists a variety of steps that administrators can take to prevent web shells from reaching the server. They include:
- Identify and fix vulnerabilities or incorrect settings in applications and web servers. Use threat and vulnerability management to discover and correct these weaknesses. Deploy the latest security updates as they become available.
- Implement the proper segmentation of your perimeter network, so that a compromised web server does not lead to compromising the corporate network.
- Enable antivirus protection on web servers. Activate the protection provided by the cloud to get the latest defenses against new and emerging threats. Users should only be able to upload files to directories that can be scanned by antivirus and configured to not allow scripts or server-side execution.
- Audit and analyze web server logs frequently. Be aware of all the systems that you expose directly to the Internet.
- Use Windows Defender Firewall, intrusion prevention devices and your network firewall to prevent command and control server communication between terminals whenever possible, limiting lateral movement as well as other attack activities.
- Check your perimeter and proxy firewall to restrict unnecessary access to services, including access to services through non-standard ports.
- Practice good credential hygiene. Limit the use of accounts with local or domain administrator level privileges.
The National Security Agency has published tools here that help administrators detect and remove web shells on their networks.