NSA published a list of the most used vulnerabilities

NSA published a list of the most used vulnerabilities

The US National Security Agency and the Australian Department of Electronic Defense prepared recommendations for companies to search for web shells (web shell) on internal servers and servers that "look" on the Internet. In their report, experts provide a list of threats that are most often used to deploy web shells.

Experts write that web shells are one of the most popular forms of malware today. The term “web shell” usually refers to a malicious program or script installed on a hacked server. For example, in February of this year, Microsoft announced that it daily finds about 77,000 active web shells.

Most web shells provide a hacker with a visual interface that can be used to interact with a hacked server and its file system and also have functions that allow you to rename, copy, move, edit or upload new files to the server. In addition, the web shell can be used to change access rights to files and directories, as well as archiving and downloading (theft) of data from the server.

Web shells can be written in any language, from Go to PHP, which allows attackers to hide them inside the code of any site under common, not suspicious names (for example, index.asp or uploader.php). As a result, the human operator is unlikely to be able to detect the web shell on their own, without the help of a firewall or a malware scanner.

Researchers warn that many companies do not fully understand the dangers of installing web shells on their systems. In essence, web shells act as backdoors, and you need to treat them accordingly.

“Web shells can serve as stable backdoors or transit nodes for redirecting malicious teams to other systems. Attackers often bundle web shells in several compromised systems to route traffic, for example, from Internet systems to internal networks, ”experts say in the report.

The US National Security Agency and the Australian Department of Radio engineering recommend that system administrators use the following tools to detect web shells (many of which are available in the NSA’s special repository on GitHub ): 

  • scripts to compare the site with its obviously good image;
  • Splunk requests to detect abnormal URLs in traffic;
  • log analysis tool Internet Information Services (IIS);
  • network traffic signatures for well-known web shells;
  • instructions for identifying suspicious network streams;
  • instructions for identifying abnormal process calls among Sysmon data;
  • instructions for identifying abnormal process calls with Audited;
  • HIPS rules for blocking changes to directories accessible from the web;
  • list of commonly exploited vulnerabilities in web applications.
But before moving on to looking for compromised hosts, administrators are strongly advised to update their systems and fix possible vulnerabilities. So, analysts list vulnerabilities in popular products that are most often used by cybercriminals to install web shells. This list, which can be seen below, includes Microsoft SharePoint, Microsoft Exchange, Citrix, Atlassian Confluence, WordPress, Zoho ManageEngine, and Adobe ColdFusion.

“This list is not exhaustive, but gives an idea of ​​some commonly used problems,” experts say.

Vulnerability IDVulnerable productThe problem became known
CVE-2019-0604Microsoft SharePointMay 15, 2019
CVE-2019-19781Citrix Gateway, Citrix Application Delivery Controller, and Citrix SD-WAN WANOPJanuary 22, 2020
CVE-2019-3396Atlassian confluence serverMay 20, 2019
CVE-2019-3398Atlassian Confluence Server and Atlassian Confluence Data CenterNovember 26, 2019
CVE-2019-9978Social Warfare WordPress PluginApril 22, 2019
Progress Telerik UIFebruary 7, 2019
CVE-2019-11580Atlassian Crowd and Crowd Data CenterJuly 15, 2019
CVE-2020-10189Zoho ManageEngine Desktop CentralMarch 6, 2020
CVE-2019-8394Zoho ManageEngine ServiceDesk PlusFebruary 18, 2019
CVE-2020-0688Microsoft Exchange ServerMarch 10, 2020
CVE-2018-15961Adobe ColdFusionNovember 8, 2018

Post a Comment

Previous Post Next Post