Security personnel at Microsoft are seeing a major increase in the use of web shells, the lightweight programs that hackers install so that they can dig deeper into compromised websites.
The average number of web shells installed from August 2020 to January this year was 144,000, almost twice as many as in the same months in 2019 and 2020. The spike represents an acceleration in growth that the same Microsoft researchers saw last year.
A Swiss Army Knife for Hackers
The growth is a sign of how useful and difficult to detect these simple programs can be. A web shell is an interface that allows hackers to run standard commands on web servers once the servers have been compromised. Web shells are built using web-based programming languages such as PHP, JSP, or ASP. The command interfaces work much like browsers.
Once the web shells are successfully installed, remote hackers can do most of the things legitimate administrators can do. Hackers can use them to execute commands that steal data, execute malicious code, and provide system information that allows lateral movement into a compromised network. The programs can also provide a persistent form of backdoor access that remains surprisingly difficult to detect despite their effectiveness.
In a blog post published Thursday, members of the Microsoft Detection and Response Team and the Microsoft 365 Defender Research Team wrote:
Once installed on a server, web shells serve as one of the most effective means of persistence in an enterprise. We often see cases where web shells are used solely as a persistence mechanism. Web shells guarantee that a backdoor exists in a compromised network, because an attacker leaves behind a malicious implant after gaining a first foothold on a server. If they go undetected, web shells provide attackers with a way to continue collecting data from and monetizing the networks they access.
Compromise remediation cannot be successful and sustainable without locating and removing attacker persistence mechanisms. And while rebuilding a single compromised system is a great solution, for many, restoring existing assets is the only viable option. Thus, finding and removing all backdoors is a critical aspect of compromise recovery.
In early July, the Metasploit hacking framework added a module that exploited a critical vulnerability in the Big-IP advanced delivery controller, a device created by F5 that is typically placed between a perimeter firewall and a web application to perform load balancing and other tasks. . A day later, Microsoft researchers saw that hackers were using the exploit to install web shells on vulnerable servers.
Initially, hackers used the web shells to install malware that used the computing power of the servers to mine cryptocurrency. Less than a week later, researchers saw hackers exploiting the Big-IP vulnerability to install web shells for a much wider range of applications on both government and private-sector servers.
In another case last year, Microsoft said it was conducting an incident response after a public sector organization discovered that hackers had installed a web shell on one of its Internet-facing servers. The hackers had “uploaded a web shell in multiple directories on the web server, leading to the compromise of service accounts and domain administrator accounts,” Microsoft researchers wrote. “This allowed the attackers to conduct reconnaissance using net.exescan for additional target systems using nbtstat.exeand finally move sideways using PsExec.”
The hackers then installed a backdoor on an Outlook server that intercepted all incoming and outgoing emails, performed additional crawls and downloaded other malicious payloads. Among other things, the hack enabled the hackers to send special emails that the back door interpreted as commands.
Needle in a haystack
Because they use standard web development languages, web shells can be difficult to detect. What makes it even more difficult is that web shells have multiple ways to execute commands. Attackers can also hide commands in user agent strings and parameters passed during an exchange between an attacker and the compromised website. As if that weren’t enough, web shells can be saved in media files or other non-executable file formats.
“When this file is loaded and analyzed on a workstation, the photo is harmless,” Microsoft researchers wrote. “But when a web browser asks a server for this file, malicious code is executed on the server side. These challenges in detecting web shells contribute to their increasing popularity as an attack tool.”
Thursday’s post lists several steps administrators can take to prevent web shells from landing on a server. They contain:
- Identify and fix vulnerabilities or misconfigurations in web applications and web servers. Use Threat and Vulnerability Management to discover and fix these weaknesses. Deploy the latest security updates as they become available.
- Implement proper segmentation of your perimeter network so that a compromised web server doesn’t compromise the corporate network.
- Enable antivirus protection on web servers. Enable cloud-delivered protection to get the latest protection against new and emerging threats. Users should only be able to upload files in folders that can be scanned by antivirus and that are configured not to allow server-side scripting or execution.
- Periodically check and review web server logs. Be aware of any systems you expose directly to the Internet.
- Use the Windows Defender Firewall, intrusion prevention devices, and your network firewall to prevent command-and-control server communications between endpoints whenever possible, limiting lateral movement and other attack activities.
- Check your perimeter firewall and proxy to limit unnecessary access to services, including access to services through non-standard ports.
- Practice good diploma hygiene. Restrict the use of accounts with local or domain administrator-level privileges.
The National Security Agency has published tools here that help administrators detect and remove web shells on their networks.