Detect and prevent
The US National Security Agency (NSA) has stepped out from the shadows to offer business advice on combating the growing scourge of web shell malware.
Attackers deploy web shell malware on targeted servers to execute arbitrary system commands.
The technique – which has been around for years but is growing in prevalence – allows attackers to gain persistent access to compromised networks.
Attackers typically create web shells by adding or modifying a file in an existing web application.
Although web servers are the typical target of such attacks, attackers sometimes plant web shells on non-internet facing web servers, such as internal content management systems or network device management interfaces.
In response, the NSA has teamed up with its close intel agency partner the Australian Signals Directorate to put together a Cybersecurity Information Sheet (CSI) on mitigating web shell malware.
The CSI (PDF) offers best practice guidance on the prevention and detection of malicious web shells.
The guidance includes various scripts in addition to Snort rules, Splunk queries, and a list of commonly exploited web application vulnerabilities, among other content.
What is web shell malware?
A web shell can be defined as a malicious script that allows an attacker to escalate and maintain persistent access on an already compromised web application.
A statement from the NSA explains: “Web shell malware has been a threat for years and continues to evade detection from most security tools. Malicious cyber actors are increasingly leveraging this type of malware to get consistent access to compromised networks while using communications that blend in well with legitimate traffic.
“This means attackers might send system commands over HTTPS or route commands to other systems, including to your internal networks, which may appear as normal network traffic,” it added.
How common is web shell malware?
Back in February, Microsoft said its was detecting an average of 77,000 web shell and related artifacts on an average of 46,000 distinct machines in any given month.
The figures were something of a wake-up call to the industry, which had previously though the prevalence of malicious web shells were far lower.
Ilia Kolochenko, founder and chief exec of web security company ImmuniWeb, said that many cyber gangs automate intrusion and web shell installation on vulnerable websites.
“Often, they [attackers] harvest successfully deployed web shells in a few days or even weeks after launching the attack,” Kolochenko explained.
“Unless some obfuscation of code is used, a web shell can be easily located by various security software.
"Usually, once a web shell is uploaded, it is fairly simple to root the server by exploiting unpatched vulnerabilities or its insecure configuration. Detection of web shells is a fairly routine operation.
“Moreover, such attacks are usually attributable to junior hackers [who are] unskilled or careless enough to upload a web shell without obfuscation and proper removal after backdooring the server,” he added.