The United Sates National Security Agency (NSA) and the Australian Signals Directorate (ASD) have issued a joint Cybersecurity Information Sheet (CSI) that provides details on vulnerabilities exploited by threat actors to install web shell malware on web servers.
Software usually deployed on a victim’s web server, web shells can be used for command execution, providing attackers with persistent access to a compromised environment. Communication channels can be blended with legitimate traffic in order to evade detection.
To install web shells, adversaries typically target vulnerabilities in web applications or upload code to existing compromised systems. Once installed, these web shells can serve either as backdoors or as relay nodes to route commands to other systems.
Although Internet-facing servers are usually expected to be targeted for web shell installation, internal systems that are not Internet-facing are often targeted as well, as they are more vulnerable due to lagging patch management or permissive security requirements, the joint CSI from the US and Australian foreign spy agency explains (PDF).
“Malicious cyber actors are increasingly leveraging this type of malware to get consistent access to compromised networks while using communications that blend in well with legitimate traffic. This means attackers might send system commands over HTTPS or route commands to other systems, including to your internal networks, which may appear as normal network traffic,” the CSI reads.
The CSI includes information on how organizations can detect web shells, prevent them from impacting their networks, and recover after attacks. In addition to detection techniques, it includes links to signatures and lists maintained on GitHub.
The advisory also provides security teams with scripts they can use to compare a website with a known-good image, Splunk queries for identifying anomalous URIs in web traffic, an Internet Information Services (IIS) log analysis tool, signatures for the network traffic of common web shells, details on how to identify unexpected network flows and abnormal process invocations, a list of commonly exploited web application vulnerabilities, and HIPS rules for blocking changes to web-accessible directories.
Commonly targeted web app security flaws impact Microsoft SharePoint (CVE-2019-0604) and Exchange Server (CVE-2020-0688), Citrix products (CVE-2019-19781), Atlassian Confluence (CVE-2019-3396 and CVE-2019-3398) and Crowd (CVE-2019-11580), WordPress “Social Warfare” Plugin (CVE-2019-9978), Progress Telerik UI (CVE-2019-18935, CVE-2017-11317 and CVE-2017-11357), Zoho ManageEngine (CVE-2020-10189 and CVE-2019-8394), and Adobe ColdFusion (CVE-2018-15961), the NSA and ASD note.