Web applications are constantly on the rise. Millions of users use them every day to entertain themselves, study and work. Despite the fact that traditional applications are still valid and are also used by many people, the trend of using their web versions continues. They are lightweight, efficient, and consume much less resources overall. However, are we protecting the servers adequately? This guide will explain everything about one of the great threats: web shells.
What is a web shell?
It is a malicious script that gets into the systems that are attacked. In most cases, web servers are part of the target. Once these systems have the web shell, the cybercriminal can have remote control of it. Consequently, you will have persistent access to the system and can handle it however you like. This means that web shells have the ability to create backdoors in the compromised systems to have some control and even total control.
Also, web shells have a much greater reach. They can also violate network device management interfaces. Therefore, it is extremely important to have good secure management practices in networks. Above all, if it is those that have hundreds and thousands of devices connected daily. The rise of teleworking brings with it security risks, which, although they are already known, these deserve special attention, because, obviously, it is not the same to work in a “secure” network environment of a company, than from home. However, you might wonder if it is not enough to use VPN services so that we can safely connect to our organization resources, that is only part of what a network administrator should do.
One of the advantages of web shell attacks is that they are versatile and difficult to detect. They are also dangerous and could be used to:
- Data theft.
- Infection of website visitors.
- Launching DDoS Attacks
- Modifying files with harmful intentions.
- For use as a bot that is part of a botnet.
Detecting a web shell
The main difficulty in detecting this type of malware is that attackers can apply encryption methods to cover their malicious activity. This is a direct consequence of the ease with which scripts can be entered. As we know, there are infinite possibilities for cyberattacks and the protection shield of networks must be strengthened more and more. Some of the effective detection methods are as follows:
- Compare a version of the web application other than the one in production. The latter refers to the application that is available to users. This comparison will help you analyze the differences for any signs of unusual activity.
- Search for anomalies in web application traffic using monitoring tools.
- Apply signature-based detection, that is, verify all web shells that have been modified. Although these have undergone a minimal modification.
- Look for traffic flows on the network that have unusual characteristics.
What tools and procedures should I apply to detect these malicious scripts? Here are some key tips to help you protect yourself effectively.
How to protect your systems and networks from web shells
This type of malware is introduced through vulnerabilities present in:
- Web applications
- Bad practices of security configurations for servers
As we have commented previously, these web shells are also introduced directly to the systems and networks that are victims, this occurs mainly because web applications (mostly) and their vulnerable infrastructure have permissions to make modifications directly to a web directory accessible, or to pieces of web code. However, these types of permissions should not be granted.
Consequently, the systems themselves open the door seamlessly for cybercriminals to carry out attacks. Therefore, it is recommended to block the modification permissions. Now, if that possibility does not exist, there is an alternative.
Web shell attacks can allow threat actors to remotely execute commands on a server and can cause serious harm to organizations. One thing to note is that script-based malware eventually funnels into some spots like cmd.exe, powershell.exe, and cscript.exe.
In this sense, prevention is essential and Microsoft recommends that we follow a series of guidelines:
- It is necessary to identify and correct vulnerabilities or incorrect configurations in web applications and web servers.
- We must implement the proper segmentation of your perimeter network. The objective is that a compromised web server of our organization does not put the rest at risk.
- We have to enable virus protection on web servers. We must also activate the protection provided in the cloud to obtain the latest defenses against new threats.
- As for users, they should only be able to upload files to directories that can be scanned by an antivirus. On the other hand they must also be configured not to allow execution or server-side scripts.
- Web server logs need to be audited and reviewed frequently. We have to know what systems we expose directly to the Internet.
- We should use Windows Defender Firewall, intrusion prevention devices, and your network firewall to prevent command-and-control server communication between endpoints whenever feasible.
- We have to check the perimeter firewall and the proxy to restrict unnecessary access to services.
- We need a good account and credential policy. Here it is important to limit the use of local or domain administrator accounts to those strictly necessary.
IDS / IPS systems and web application firewall
This alternative consists of implementing an integrity monitoring scheme for the files that are hosted in the application infrastructure. In this way, administrators will have the necessary visibility against any eventuality of changes that may occur in the web directories and pieces of code.
On the other hand, a special firewall for web applications. It is oriented to those applications based on HTTP. Apply a series of rules when there is an HTTP conversation. An additional and very notable benefit is that these rules of these firewalls can also protect against other more lethal attacks such as Cross-Site Scripting and SQL injections, among others. According to the OWASP organization , this type of firewall is aimed at protecting servers. Just as proxies protect hosts (users). In fact, Web Application Firewalls are also considered a type of reverse proxy.
This renowned US agency has made a complete repository available on Github. In this repository we can find a wide list of methods and tools that will help your system to be protected from web shell type malware. An interesting point is that it will not be necessary to make major investments in terms of security solutions.
We take Microsoft’s PowerShell as an example . In the repository we have shared, you will find support for detecting web shells using a «Known Good» comparison scheme. In addition, you will be able to detect suspicious requests in the logs of the web servers.
As we can see, it is important to be aware of the main vulnerabilities that are presented not only to web application servers, but also those that are linked to traditional applications and even the data networks themselves. When it comes to cyberattacks, there are endless possibilities and the protection shield must be as robust as possible. Fortunately, online resources and highly accessible tools can help us as administrators prevent more than one tragedy.
Without a doubt, it is a good way to block threats of this type that include, among others:
- Good known file comparison scripts with WinDiff, PowerShell and Linux Diff.
- Detecting abnormal requests in web server logs with Splunk queries for web server logs, PowerShell Script for Microsoft IIS logs, and Python Script for Apache httpd logs
- YARA rules for detecting common web shells
- HIPS rules to allow the McAfee host-based security system to block web directories.
Microsoft’s report on the rise of web shell attacks
This situation does not come from now, a year ago it was already reported the great increase in the use of web shells in attacks all over the world. In a report by the Microsoft 365 Defender research team, it has revealed that this trend, in addition to continuing, also accelerated. Thus, from August 2020 to January 2021, an average of 140,000 web shell attacks could be detected. If we buy it with last year we can see that they are almost double since then the monthly average was 77,000 attacks.
Here’s a graph showing how web shell attacks have almost doubled.
Cybercriminals install web shells on servers taking advantage of security flaws. They are usually vulnerabilities in web applications or servers connected to the Internet. The way to act of these cybercriminals is scanning the Internet. A common practice is to use public scanning interfaces such as shodan.io to locate the servers to attack.
A tool with behavior-based containment and blocking capabilities such as Microsoft Defender for Endpoint can identify and stop web shell attacks. Thus, it generates alerts for these intrusions so that security teams using this tool can carry out additional investigations and search for related or similar threats. This would be an example where suspicious behavior has been blocked.
However, as we will see below, a series of preventive measures can be taken to protect the servers.