Recently, Microsoft released an investigative report revealing that several active web shell attacks take place every day. Read on to know more…
Recently, Microsoft released an investigative report revealing that on average 77,000 active web shells across 46,000 infected servers each day. Adding more to the comments, Microsoft researchers said that 77,000 detections on a daily base is a worrisome figure. This implies that an intense activity of threat actors in the cybers landscape. Earlier this month GoDaddy’s Sucuri reported on cleaning around 3,600 web shells from hacked websites during all last year, in 2019, a number dwarfed by Microsoft’s daily detection count.
About Web Shell
A web shell is a malicious script attackers plant to escalate or maintain persistent access on an already compromised web application. Web shells are crucial because of their functions. Microsoft’s numbers highlight the prevalence of these tools in the today’s hackers’ arsenals — where web shells are considered a must for every threat actor, from lowly hacktivist groups defacing websites to state-sponsored cyber-espionage groups.
They provide a visual interface that hackers can use to interact with the hacked server and its filesystem. Most web shell contain basic functions to rename, copy, move, and even edit or upload new files on a server. They can also be used to change file and directory permissions, or archive and download (steal) data from the server.
Microsoft team found out several threat groups, including ZINC, KRYPTON, and GALLIUM, using these malicious codes in their attack campaigns. Threat actors used these malicious codes to exploit known issues applications and compromise servers to install the web shells. China Chopper was one of the most widely adopted web shells. It was reportedly employed in many cyberespionage campaigns carried out by China-linked APT groups.
In October 2018, security agencies belonging to Five Eyes — United States, United Kingdom, Canada, Australia, and New Zealand — have released a joint report that details some popular hacking tools, including China Chopper.
“Unfortunately, these gaps appear to be widespread, given that every month, Microsoft Defender Advanced Threat Protection (ATP) detects an average of 77,000 web shell and related artifacts on an average of 46,000 distinct machines.” reads the report published by Microsoft.
“Because web shells are a multi-faceted threat, enterprises should build comprehensive defenses for multiple attack surfaces.” concludes Microsoft. ” Gaining visibility into internet-facing servers is key to detecting and addressing the threat of web shells. The installation of web shells can be detected by monitoring web application directories for web script file writes. Applications such as Outlook Web Access (OWA) rarely change after they have been installed and script writes to these application directories should be treated as suspicious. “
The Road Ahead
Microsoft has cautioned system administrators to take the report findings seriously. From their experience of earlier investigations, Microsoft said hackers use web shells to upload other hacking tools on a victim’s systems, which could later be used for reconnaissance operations and lateral movement across a victim’s internal network. This might turn a simple web server hacks into much bigger security incidents.