Average 77,000 Active Web Shells A day, Microsoft Reports

• Microsoft team found out several threat groups, including ZINC, KRYPTON, and GALLIUM, using these malicious codes in their attack campaigns.
• China Chopper was one of the most widely adopted web shells.

Recently, Microsoft released an investigative report revealing that on average 77,000 active web shell attacks take place every day.

A web-shell is a malicious script attackers plant to escalate or maintain persistent access on an already compromised web application.

What happened?

Microsoft published a report where it detected an average of 77,000 active web shells across 46,000 infected servers each day.

Commenting on their finding, Microsoft researchers said 77,000 detections on a daily base is a worrisome figure. It implies an intense activity of threat actors in the cybers landscape.

Key findings from the report

• Microsoft team found out several threat groups, including ZINC, KRYPTON, and GALLIUM, using these malicious codes in their attack campaigns.
• Threat actors use these to exploit known issues applications and compromise servers to install the web shells.
• China Chopper was one of the most widely adopted web shells. It was reportedly employed in many cyberespionage campaigns carried out by China-linked APT groups.

In October 2018, security agencies belonging to Five Eyes (United States, United Kingdom, Canada, Australia, and New Zealand) have released a joint report that details some popular hacking tools, including China Chopper.

Closing lines

Microsoft has cautioned system administrators to take the report findings seriously. From their experience of earlier investigations, Microsoft said hackers use web shells to upload other hacking tools on a victim's systems, which could later be used for reconnaissance operations and lateral movement across a victim's internal network.

This might turn a simple web server hacks into much bigger security incidents.