Image: Microsoft
Microsoft says the number of malicious web shells installed on web servers has nearly doubled since last year’s last count in August 2020.
In a blog post yesterday, the Redmond company said it detected about 140,000 web shells per month between August 2020 and January 2021, an increase from the average of 77,000 reported last year.
The number has increased due to a shift in the way hackers view web shells. Once considered a tool for script kiddies who corrupt websites and the go-to tool of DDoS botnet operators, web shells are now part of the arsenal of ransomware gangs and national hackers, and are crucial tools used by complex intruders.
Two of the reasons they have become so popular is their versatility and access to hacked servers.
Web shells, which are nothing more than simple scripts, can be written in almost any programming language running on a web server – such as PHP, ASP, JSP or JS – and the like can be easily hidden in the source code of a website. This makes tracing them a difficult operation, often requiring manual analysis by a human operator.
Additionally, web shells provide hackers with an easy way to execute commands on a hacked server through a graphical or command line interface, giving attackers an easy way to escalate attacks.
Web shells are becoming more common as more servers are put online
As the company’s IT space has shifted to hybrid cloud environments, the number of businesses running web servers has increased in recent years, and in many cases public servers often have direct connections to internal networks.
As Microsoft’s statistics have shown, attackers seem to have also detected this change in the composition of corporate IT networks and are intensifying their attacks on public systems.
Web shells now play a critical role in their attacks, providing a way to control the hacked server and then orchestrate a pivot to a target’s internal network.
These types of attacks are exactly what the US National Security Agency warned about in April 2020 when it released a list of 25 vulnerabilities commonly used to install web shells.
The NSA report warned not only of web shells being used on public systems, but their use within internal networks, where they are used as proxies to jump to non-public systems.
Microsoft is urging companies to re-prioritize their approach to dealing with web shells, which are slowly becoming one of the biggest security threats today. As ways to secure networks, the creator of the operating system recommends a few basic actions:
- Patch public systems, as most web shells are installed after attackers exploit unpatched vulnerabilities.
- Extend antivirus protection to web servers, not just employee workstations.
- Network segmentation to limit the damage of an infected server to a small number of systems and not the entire network.
- Check and review web server logs regularly, especially for public systems, which are more vulnerable to scanning and attack.
- Practice good ID hygiene. Limit the use of accounts with local or domain administrator rights.
- Check your perimeter firewall and proxy to limit unnecessary access to services, including access to services through non-standard ports.