Web Shell attacks Hit #1 in 1H23
According to recent Cisco Talos Blog and Webinar where they covered Top Internet Attacks for the first half of 2023. Web Shells ranked #1 up from almost non-existent at the end of '22. Not familiar with Cisco Talos? Cisco acquired them back in October of 2015 for their Threat Intelligence unit. Cyber Security is becoming more and more important to our everyday lives. Do you want someone hacking your smart fridge or washer? Nope, so let's jump right in.
What are Web Shells?
- A shell-like interface which enables a web server to be remotely accessed, most likely without the server admin knowing.
- Installed by hacker or nation state, a web-shell is a malicious script used by an attacker with the intent to escalate and maintain persistent access on an already compromised web application (PHP, JSP, ASPX, etc.)
- Put another way they are small programs or scripts that can be uploaded to a vulnerable server and then opened from the browser to provide a web based interface to run system commands. They are basically backdoors that run from the browser.
- Or a Simple SQL injection attack can install a Web Shell.
- One of the more common payloads delivered by various exploits. They provide an attacker with persistent and convenient access to a compromised site at times acting like a C2 (Command and Control) operation.
How large are these Web Shells?
They can be as small as a few lines of PHP code or 1000's of lines of complex multi-acting shells. They are powerful enough to insert themselves into the database traffic and other malicious behaviors such as creating backdoors.
Is your enterprise protected from Web Shells?
Probably Not. As most of these types of are not scanned by anti-virus, nor most security tools and thus why its #1 attack Vector 1H23. Regardless if your Internet facing servers are running Linux, Apple or Windows they need to be protected.
How does one go about limiting and Mitigating Web Shells?
- Always ensure your Operating System is up to date with patches and hardened
- Reduce plug-in usage on the web facing servers and applications (reduce the attack surface)
- Run defense in depth practices using WAF (Web Application Firewall) paired w/ IDS (Intrusion Detection Systems)
- Vulnerability scanning for all files
- Run a separate File Integrity Monitoring (FIM) tool to ensure only the files which you authorized to be on these servers are there.
- Audit your configuration at irregular intervals (don't want to be too predictable)
- Run EDR as part of zero trust solution
- Never store credentials on any device that has access to the Internet
- This is not intended to be a complete list but it does include several important and powerful options.
Hackers have Web Shell Starter kits available on GitHub
No I don't approve of this just passing along the information that these types of attacks will get more prevalent and potentially dangerous.
The hackers continue to hone their skills and change their tactics, just spreading the news so don't shoot the messenger.
Credits - Image belongs to 'clickssl.net'
