The US National Security Agency and the Australian Department of Electronic Defense prepared recommendations for companies to search for web shells (web shell) on internal servers and servers that "look" on the Internet. In their report, experts provide a list of threats that are most often used to deploy web shells.
Experts write that web shells are one of the most popular forms of malware today. The term “web shell” usually refers to a malicious program or script installed on a hacked server. For example, in February of this year, Microsoft announced that it daily finds about 77,000 active web shells.
Most web shells provide a hacker with a visual interface that can be used to interact with a hacked server and its file system and also have functions that allow you to rename, copy, move, edit or upload new files to the server. In addition, the web shell can be used to change access rights to files and directories, as well as archiving and downloading (theft) of data from the server.
Web shells can be written in any language, from Go to PHP, which allows attackers to hide them inside the code of any site under common, not suspicious names (for example, index.asp or uploader.php). As a result, the human operator is unlikely to be able to detect the web shell on their own, without the help of a firewall or a malware scanner.
Researchers warn that many companies do not fully understand the dangers of installing web shells on their systems. In essence, web shells act as backdoors, and you need to treat them accordingly.
“Web shells can serve as stable backdoors or transit nodes for redirecting malicious teams to other systems. Attackers often bundle web shells in several compromised systems to route traffic, for example, from Internet systems to internal networks, ”experts say in the report.
The US National Security Agency and the Australian Department of Radio engineering recommend that system administrators use the following tools to detect web shells (many of which are available in the NSA’s special repository on GitHub ):
- scripts to compare the site with its obviously good image;
- Splunk requests to detect abnormal URLs in traffic;
- log analysis tool Internet Information Services (IIS);
- network traffic signatures for well-known web shells;
- instructions for identifying suspicious network streams;
- instructions for identifying abnormal process calls among Sysmon data;
- instructions for identifying abnormal process calls with Audited;
- HIPS rules for blocking changes to directories accessible from the web;
- list of commonly exploited vulnerabilities in web applications.
But before moving on to looking for compromised hosts, administrators are strongly advised to update their systems and fix possible vulnerabilities. So, analysts list vulnerabilities in popular products that are most often used by cybercriminals to install web shells. This list, which can be seen below, includes Microsoft SharePoint, Microsoft Exchange, Citrix, Atlassian Confluence, WordPress, Zoho ManageEngine, and Adobe ColdFusion.
“This list is not exhaustive, but gives an idea of some commonly used problems,” experts say.
| Vulnerability ID | Vulnerable product | The problem became known |
| CVE-2019-0604 | Microsoft SharePoint | May 15, 2019 |
| CVE-2019-19781 | Citrix Gateway, Citrix Application Delivery Controller, and Citrix SD-WAN WANOP | January 22, 2020 |
| CVE-2019-3396 | Atlassian confluence server | May 20, 2019 |
| CVE-2019-3398 | Atlassian Confluence Server and Atlassian Confluence Data Center | November 26, 2019 |
| CVE-2019-9978 | Social Warfare WordPress Plugin | April 22, 2019 |
| CVE-2019-18935 CVE-2017-11317 CVE-2017-11357 | Progress Telerik UI | February 7, 2019 |
| CVE-2019-11580 | Atlassian Crowd and Crowd Data Center | July 15, 2019 |
| CVE-2020-10189 | Zoho ManageEngine Desktop Central | March 6, 2020 |
| CVE-2019-8394 | Zoho ManageEngine ServiceDesk Plus | February 18, 2019 |
| CVE-2020-0688 | Microsoft Exchange Server | March 10, 2020 |
| CVE-2018-15961 | Adobe ColdFusion | November 8, 2018 |