Getty Images
Security personnel at Microsoft are seeing a major increase in the use of web shells, the lightweight programs hackers install so they can further burrow into compromised websites.
The average number of web shells installed from August 2020 to January this year was 144,000, almost double the same months in 2019 and 2020. The peak represents an acceleration in growth that the same Microsoft researchers saw in the past year.
Microsoft
A Swiss army knife for hackers
Its growth is a sign of how useful and difficult to detect these simple programs can be. A web shell is an interface that allows hackers to run standard commands on web servers once the servers have been compromised. Web shells are built using web-based programming languages such as PHP, JSP or ASP. The command interfaces work much like browsers do.
Once installed successfully, web shells allow remote hackers to do most of the same things as legitimate administrators. Hackers can use them to execute commands that steal data, run malicious code, and provide system information that enables sideways movement in a compromised network. The programs can also provide a lasting means of backdoor access that remains surprisingly difficult to detect despite their effectiveness.
In a blog post published Thursday, members of Microsoft’s Detection and Response Team and Microsoft 365 Defender Research Team wrote:
Once installed on a server, web shells serve as one of the most effective means of persistence in an enterprise. We often see cases where web shells are used solely as a persistence mechanism. Web shells guarantee that there is a back door in a compromised network, because an attacker leaves a malicious implant after first gaining a foothold on a server. If they go unnoticed, web shells provide a way for attackers to continue to collect data from and monetize the networks they can access.
Compromise fixes cannot be successful and sustainable without locating and removing the attacker’s persistence mechanisms. And while rebuilding a single compromised system is a great solution, for many, restoring existing assets is the only viable option. Finding and removing all the backdoors is thus a critical aspect of compromise recovery.
Case studies
In early July, the Metasploit hacking framework added a module that exploited a critical vulnerability in the Big-IP Advanced Delivery Controller, a device created by F5 that is typically placed between a perimeter firewall and a web application to perform load balancing and other tasks. A day later, Microsoft researchers began to see hackers using the exploit to install web shells on vulnerable servers.
Initially, hackers used the web shells to install malware that used the computing power of the servers to mine cryptocurrency. Less than a week later, researchers saw hackers taking advantage of the Big-IP vulnerability to install web shells for a much wider range of applications on both US government and private industry servers.
In another case last year, Microsoft said it conducted an incident response after a public sector organization discovered that hackers had installed a web shell on one of its Internet-facing servers. The hackers had “uploaded a web shell into multiple directories on the web server, which subsequently led to the compromise of service accounts and domain administrator accounts,” Microsoft researchers wrote. “This allowed the attackers to conduct reconnaissance with net.exe, scan for additional target systems with nbtstat.exe, and eventually move laterally with PsExec. “
The hackers then installed a back door on an Outlook server that intercepted all incoming and outgoing emails, performed additional scouts, and downloaded other malicious payloads. The hack allowed the hackers to send special emails that the back door interpreted as commands.
Needle in a haystack
Because they use standard web development languages, web shells can be difficult to detect. In addition, web shells have multiple ways to execute commands. Attackers can also hide commands in user agent strings and parameters passed during an exchange between an attacker and the compromised website. As if that were not enough, web shells can be stored in media files or other non-executable file formats.
“When this file is loaded and analyzed on a workstation, the photo is harmless,” Microsoft researchers wrote. “But when a web browser asks a server for this file, malicious code is executed on the server. These challenges in detecting web shells contribute to their increasing popularity as an attack tool. “
Thursday’s post outlines a few steps administrators can take to prevent web shells from landing on a server. They contain:
- Identify and fix vulnerabilities or misconfigurations in web applications and web servers. Use Threat and Vulnerability Management to discover and fix these weaknesses. Deploy the latest security updates as soon as they are available.
- Implement proper segmentation of your perimeter network so that a compromised web server does not compromise the corporate network.
- Enable antivirus protection on web servers. Enable cloud-delivered protection to get the latest protection against new and emerging threats. Users should only be able to upload files in directories that can be scanned by antivirus programs and are configured not to allow server-side scripting or execution.
- Check and review web server logs regularly. Be aware of any systems that you expose directly on the Internet.
- Use the Windows Defender Firewall, intrusion prevention devices, and your network firewall to prevent command-and-control server communication between endpoints, where possible, by limiting lateral movement and other attack activities.
- Check your perimeter firewall and proxy to limit unnecessary access to services, including access to services through non-standard ports.
- Practice good ID hygiene. Limit the use of accounts with local or domain administrator rights.
The National Security Agency has published tools here that allow administrators to detect and remove web shells on their networks.