According to Microsoft, the number of malicious web shells installed on web servers has almost doubled since it was last counted in August 2020.
In a blog post yesterday, the Redmond company said it was roughly recognized 140,000 web shells per month between August 2020 and January 2021, up from the 77,000 average reported last year.
The number has increased due to a change in the way hackers view web shells. In the past, web shells were seen as a tool for script kiddies defacing websites and a preferred tool for DDoS botnet operators. Today, web shells are part of the arsenal of ransomware gangs and nation-state hackers alike and are crucial tools for complex attacks.
Two of the reasons they are so popular is their versatility and the access they offer to hacked servers.
Web shells, which are nothing more than simple scripts, can be written in almost any programming language that runs on a web server – such as PHP, ASP, JSP, or JS – and can easily be hidden in the source code of a website. This makes their detection a difficult process that often requires manual analysis by a human operator.
In addition, web shells provide hackers with an easy way to execute commands on a hacked server through a graphical or command line interface, providing an easy way for attackers to escalate attacks.
Web shells are becoming more common the more servers are brought online
As corporate IT has shifted towards hybrid cloud environments, the number of companies running web servers has increased in recent years, and in many cases publicly accessible servers often have direct connections to internal networks.
As Microsoft’s statistics show, attackers also seem to have discovered this change in the composition of corporate IT networks and increased their attacks on publicly accessible systems.
Web shells now play a vital role in their attacks as they provide a way to control the hacked server and then orchestrate a pivot to a target’s internal network.
The US National Security Agency warned against such attacks in April 2020 when it published a list of 25 vulnerabilities that were commonly used to install web shells.
The NSA report warned not only of web shells used on publicly available systems, but also of their use on internal networks, where they are used as proxies to hop onto non-publicly available systems.
Microsoft is urging companies to re-prioritize their approach to dealing with web shells, which are slowly becoming one of the biggest security threats today. To ensure the security of networks, the operating system manufacturer recommends a few basic measures:
- Patch publicly available systems as most web shells are installed after attackers exploit unpatched vulnerabilities.
- Extend virus protection to web servers, not just employee workstations.
- Network segmentation to limit the damage of an infected server to a small number of systems rather than the entire network.
- Frequently review and review logs from web servers, especially for publicly accessible systems that are more vulnerable to scanning and attack.
- Practice good badge hygiene. Restrict the use of accounts with local or domain administrator rights.
- Check your perimeter firewall and proxy to restrict unnecessary access to services, including access to services through non-standard ports.