The security agencies of the US and Australia, NSA (National Security Agency), and ASD (Australian Signals Directorate) have issued a joint security announcement that the threat actor’s activities are increasing and exploiting the vulnerable webservers to deploy the malicious web shell by exploiting the web application vulnerabilities.
NSA and ASD recommending the companies to inspect their internal and Internet-connected servers for common web shells.
Web shells are one of the most popular forms of malware which is used by hackers on compromised internal or internet-exposed servers simply to gain access by executing arbitrary code remotely and delivering the malicious paylaods. The web shells provide the hackers with a visual interface that allows them to communicate with a hacked server and its file system.
While most of the web shells are equipped with functions for renaming, copying, deleting, editing, and uploading files to the server. Along with these functions, they can also be used to change permissions for files, directories, archive, and upload simply to steal data from the infected server.
Now to mitigate all these malicious programs or scripts, the US security agency, NSA (National Security Agency), has provided some free tools to identify and neutralize them.
Here’s what NSA stated, “the Malicious cyber attackers have increasingly leveraged the web shells to gain or maintain access on victim networks.” Later, ASD also added that “These tools and supervision will be useful for any network defenders or administrators who are responsible for managing the web servers.”
Hackers simply install web shells on the internet-connected servers or in web applications (content management systems (CMS), CMS plug-ins, CMS-themes, CRM-systems, internal corporate networks, corporate applications, etc.) by exploiting the vulnerabilities in them.
List of Tools Published by The NSA and ASD:-
- Splunk requests for detecting abnormal URLs in web traffic.
- A tool for analyzing Internet Information Services (IIS) logs.
- Instructions for identifying the abnormal process invocations with Auditd.
- HIPS rules for blocking changes to web-accessible directories
- Network traffic signatures for common web shells.
- Instructions for identifying abnormal traffic flows.
- Guidelines for identifying abnormal process invocations in Sysmon data.
Here’s The List of Web Application Vulnerabilities Used to Install Web Shells
Apart from these, the security agencies have also provided a list of commonly exploited Web application vulnerabilities in web apps and some other popular tools as well, like Microsoft SharePoint, Citrix, Microsoft Exchange, Atlassian Confluence, WordPress, Zoho ManageEngine, and Adobe ColdFusion.
Detect, Prevent, and Mitigate Web Shell
Generally, all the companies understand the danger of the presence of malicious web shells on their servers, as they know that they simply act as backdoors and require the most severe security measures to mitigate. Due to this reason only, the US National security Agency and the Australian Signals Directorate (ASD) have published a joint report in which companies pulled their attention to this usually ignored attack vectors.
Here’s what the report states, “Web shells can play the role of tenacious backdoors or relay links to route malicious programs or scripts to other systems. Usually, hackers connect web shells on several compromised systems simply to route traffic over networks, from the internet-connected systems to internal networks”.
So, what do you think about this? Simply share all your views and thoughts in the comment section below.