From a tool for script kiddies to the arsenal of ransomware gangs and nation-state hackers, web shells have become crucial tools used by hackers in complex intrusions. Due to the versatility and access provided by web shells, the volume of such attacks has almost doubled since last year, according to a recent report from Microsoft Detection and Response Team.
Microsoft’s detection and tracks
Microsoft has reported that between August 2020 and January 2021, it has observed around 140,000 web shells a month, up from roughly 77,000 last August.
- Microsoft's stats have shown the crucial role of web shells as an entry point and persistence mechanism for attacks on public-facing systems in corporate IT networks.
- Their flexible use with almost every programming language that runs on a web server, such as ASP, JSP, JS, or PHP, renders detection difficult.
How do web shells help?
Through web shell attacks, hackers can execute commands via a graphical or command-line interface on a hacked server, control the hacked server, steal data and login credentials, use the devices to launch two-stage attacks, and move laterally throughout the network.
You should also know
- Recently, PHP malware was discovered containing multiple backdoors and web shells for whitespace obfuscation.
- In January, the Chopper ASPX web shell named Backdoor.ASP.WEBSHELL.UWMANA was discovered in a targeted attack.
- Hackers were using the BumbleBee web shell to upload and download files to and from the compromised Exchange server, run commands that the actor used to discover additional systems, and move laterally to other servers on the network.
A quick action required
It is paramount that victims re-prioritize their approach to eliminate the escalating prevalence of web shells. The basic actions include patches of public-facing systems, antivirus protections to web servers, network segmentation, and good credential hygiene.