Attackers Increasingly Using Web Shells to Create BackdoorsNSA, Australian Signals Directorate, Offer Mitigation Tips
The U.S. National Security Agency and the Australian Signals Directorate have issued a joint advisory warning that attackers are increasingly using web shells to create backdoors within infected networks.
The advisory offers guidance for how to detect web shells within infected web servers and networks and describes methods for removing these malicious tools and preventing attackers from taking advantage of unpatched servers.
Attackers are relying more on web shells to create persistence within networks, hide their activities and regain entry if detected and removed from the network, the advisory warns.
"Malicious cyber actors are increasingly leveraging this type of malware to get consistent access to compromised networks while using communications that blend in well with legitimate traffic," the advisory notes.
A Web shell is malicious code that attackers can deploy within vulnerable web servers to execute arbitrary system commands over HTTPS, which helps the malicious traffic blend in with normal network traffic, according to the report. Web shells also enable attackers to create persistent backdoor access within compromised networks. And they use encryption and obfuscation techniques to avoid detection by security tools.
Attackers frequently chain together web shells on compromised web servers to route traffic across targeted networks, the advisory points out.
Web shells can be written in a variety of programming languages, including PHP, ASP.NET, Perl, Ruby, Python and Unix, according to a previous report by the U.S. Cybersecurity Infrastructure and Security Agency.
Security researchers have also called attention to the use of web shells by attackers, including threat actors with ties to nation-states.
In February, for example, Microsoft published a report that found an average of 77,000 web shells were detected within about 46,000 machines every month.
"We observed that attacks usually occur on weekends or during off-hours, when attacks are likely not immediately spotted and responded to," Microsoft noted.
Patching as Best Defense
The NSA and Australian Signals Directorate advisory notes that the best defense is patching for vulnerabilities that attackers are known to target. It includes a list of some of the most common flaws found in software from Microsoft, Adobe, Zoho and other vendors that have been used to help install web shells.
"Organizations are encouraged to patch both internet-facing and internal web applications rapidly to counter the risks from 'n-day' vulnerabilities," according to the advisory.
Additional Advice Available
The NSA also created a GitHub page that includes additional advice and technical details for detecting, removing and recovering from these types of web shell attacks. For example:
- Because web shells rely on creating or modifying files within existing web applications, they can be detected by comparing a verified benign version of the web app with the production version.
- When they are deployed on systems other than web servers, web shells run exclusively on memory and can listen and respond on previously unused ports. So administrators should look for unexpected network flows to detect the web shell.
- The use of endpoint detection and response, along with enhanced host logging solutions, could help detect these types of attacks because web shells cause the web server process to exhibit unusual behavior.
Change in NSA's Strategy
Over the last year, the NSA, which for years was cloaked in secrecy, has taken a much more public role when it comes to providing cybersecurity advice and guidance to government agencies as well as private businesses.
For example, in January, the NSA worked with Microsoft to disclose a vulnerability in the Windows 10 operating system that could allow attackers to execute man-in-the-middle attacks or decrypt confidential data within applications (see: NSA Uncovers 'Severe' Microsoft Windows Vulnerability)