Image: Microsoft
Microsoft says the number of malicious shells installed on web servers has almost doubled since its last count, last year, in August 2020.
In a blog post yesterday, the Redmond company said it detected about 140,000 web shells per month between August 2020 and January 2021, up from the average of 77,000 reported last year.
The number has increased as a result of a change in the way hackers view web shells. Once considered a tool for scripting kiddies that deface websites and the access tool for DDoS botnet operators, web shells are now part of the arsenal of nation-state ransomware and hacker gangs and are crucial tools used in complex intrusions.
Two of the reasons they have become so popular are the versatility and access they provide to hacked servers.
Web shells, which are nothing more than simple scripts, can be written in almost any programming language running on a web server – such as PHP, ASP, JSP or JS – and can be easily hidden within the source code of a site. This makes detecting them a difficult operation, which usually involves a manual analysis of a human operator.
In addition, web shells provide hackers with a simple way to execute commands on a hacked server through a graphical or command line interface, providing attackers with a simple way to scale attacks.
Most prevalent web shells as more servers are brought online
As the corporate IT space has shifted to hybrid cloud environments, the number of companies running web servers has increased in recent years, and in many cases, public-facing servers often have direct connections to internal networks.
As Microsoft statistics have shown, attackers also seem to have noticed this change in the composition of corporate IT networks and intensified their attacks on public-facing systems.
Web shells now play a crucial role in their attacks, providing a way to control the hacked server and then orchestrate a pivot for a target’s internal network.
These types of attacks are exactly what the United States National Security Agency warned in April 2020, when it published a list of 25 vulnerabilities that used to be used to install web shells.
The NSA report warned not just about web shells used in public-facing systems, but also about their use within internal networks, where they are used as proxies to jump to public-facing systems.
Microsoft asks companies to re-prioritize their approach to dealing with web shells, which are slowly becoming one of today’s biggest security threats. As a way to keep networks secure, the operating system manufacturer recommends some basic actions:
- Fix public-facing systems, since most web shells are installed after attackers exploit unpatched vulnerabilities.
- Extend antivirus protection to web servers, not just employee workstations.
- Network segmentation to limit the damage of an infected server to a small variety of systems and not the entire network.
- Audit and analyze web server logs frequently, especially for public-facing systems that are most vulnerable to scans and attacks.
- Practice good credential hygiene. Limit the use of accounts with local or domain administrator level privileges.
- Check your perimeter and proxy firewall to restrict unnecessary access to services, including access to services through non-standard ports.