The United Sates National Security Agency (NSA) and the Australian Signals Directorate (ASD) have issued a joint Cybersecurity Information Sheet (CSI) that provides details on vulnerabilities exploited by threat actors to install web shell malware on web servers.
Software usually deployed on a victim’s web server, web shells can be used for command execution, providing attackers with persistent access to a compromised environment. Communication channels can be blended with legitimate traffic in order to evade detection.
To install web shells, adversaries typically target vulnerabilities in web applications or upload code to existing compromised systems. Once installed, these web shells can serve either as backdoors or as relay nodes to route commands to other systems.
Although Internet-facing servers are usually expected to be targeted for web shell installation, internal systems that are not Internet-facing are often targeted as well, as they are more vulnerable due to lagging patch management or permissive security requirements, the joint CSI from the US and Australian foreign spy agency explains (PDF).
“Malicious cyber actors are increasingly leveraging this type of malware to get consistent access to compromised networks while using communications that blend in well with legitimate traffic. This means attackers might send system commands over HTTPS or route commands to other systems, including to your internal networks, which may appear as normal network traffic,” the CSI reads.
The CSI includes information on how organizations can detect web shells, prevent them from impacting their networks, and recover after attacks. In addition to detection techniques, it includes links to signatures and lists maintained on GitHub.
The advisory also provides security teams with scripts they can use to ..
Support the originator by clicking the read the rest link below.
