What can bad guys use to launch a ransomware attack, facilitate an email spamming platform, or ensure persistent access to an enterprise? Compiled malware and compromised credentials could work. But web shells provide an even more stealthy way to establish a beachhead and quietly hide on the network for future operations.
Web shells are not a new tactic. But they have been used in a number of recent attacks. We saw them in the ransomware attack that hit MedStar, which operates hospitals and healthcare facilities throughout the Washington D.C. metro area. Web shells have also recently been uncovered on a Facebook server, found on a popular software tool used by websites to process user-submitted photos, and discovered within a compromised commercial bank.
What makes them such a popular tactic in the attacker’s toolkit? One reason is that they are hard to detect. Attackers typically install web shells on Internet-facing web servers where they take advantage of installed applications. Depending on configuration and installed applications, internally facing servers could be targeted as well.
An attacker can introduce a web shell by exploiting a web application vulnerability or even a feature, such as content upload. The web shell can be as simple as a piece of code that provides a command shell on the targeted system. Or it can be as complex as an executable file that installs a full-blown Remote Administration Tools (RAT). The web shell code runs on the targeted server using existing resident applications.
Recently, the Los Angeles Times was hit when attackers leveraged a subdomain page using WordPress, a popular Content Management System (CMS) used for blogging and serving content. Many times, CMS targeting is associated with email spam campaigns.
While web shells are a favorite tool for email spammers, we have also witnessed numerous nation state actors employ web shells as part of cyber espionage campaigns.
Despite the seemingly ubiquitous nature of web shells, defenders and system owners can take preemptive actions to reduce the likelihood of being compromised by them. In parallel, defenders and administrators can also use web shell footprints and artifacts to detect their presence. Here are a few recommendations to get you started:
- Review anomalies in access and error logs regularly.
- Ensure server software and web applications are updated regularly.
- Prevent your web server from divulging specific details/information about itself.
Fidelis’ white paper, Understanding Web Shells, contains additional preemptive considerations, artifacts useful in detecting many web shells and additional recommendations. Download the complimentary paper to learn more.
-- David Gilbert, Manager, Security Consulting Services