Web shell malware continues to evade many security tools

Cyber attackers are increasingly leveraging web shell malware to get persistent access to compromised networks, the US National Security Agency and the Australian Signals Directorate warn.

What are web shells?

Web shells are malicious scripts that are uploaded to target systems (usually web servers) to enable attackers to control it remotely. In affect, they create a backdoor into the target system.

The threat is not limited to internet-facing web servers, though, and can be deployed on non-internet facing internal content management systems or network device management interfaces.

Preventing web shell installation

Attackers usually manage to deploy web shells by exploiting web application vulnerabilities, weak server security configuration, or by uploading to otherwise compromised systems.

Among the web application vulnerabilities that are commonly exploited to install web shell malware are:

• CVE-2019-0604 (affecting Microsoft SharePoint)
• CVE-2019-19781 (affecting Citrix appliances)
• CVE-2019-3396 and CVE-2019-3398 (affecting Atlassian Confluence Server and Data Center Widget Connector)
• CVE-2019-9978 (affecting the social-warfare plugin for WordPress)
• CVE-2019-18935, CVE-2017-11317 and CVE-2017-11357 (affecting Progress Telerik UI)
• CVE-2019-11580 (affecting Atlassian Crowd)
• CVE-2020-10189 (affecting Zoho ManageEngine Desktop Central)
• CVE-2019-8394 (affecting Zoho ManageEngine ServiceDesk Plus)
• CVE-2020-0688 (affecting Microsoft Exchange Server)
• CVE-2018-15961 (affecting Adobe ColdFusion).

“This list is not intended to be exhaustive, but it provides insight on some frequently exploited cases,” the agencies noted, and advised organizations to regularly patch/update web apps and limit their permissions.

“In particular, web applications should not have permission to write directly to a web accessible directory or modify web accessible code. Attackers are unable to upload a web shell to a vulnerable application if the web server blocks access to the web accessible directory,” they pointed out.

If the latter step is not possible, they advised orgs to implement file integrity monitoring to block file changes to web accessible directories or alert when changes occur.

Finally, they should add defense layers such as Intrusion Prevention Systems (IPS) and Web Application Firewalls (WAF), and improve network segregation and harden web servers.

Detecting installed web shells

“Web shells are difficult to detect as they are easily modified by attackers and often employ encryption, encoding, and obfuscation,” the agencies explained. That’s what makes them so useful to attackers and so dangerous to defenders.

There are several methods that can be used to detect their presence, such as:

• Comparing a verified benign version of the web app against the production version (and analyzing the discrepancies)
• Monitoring web traffic for anomalies
• Detection based on signatures (can work for detecting popular web shells that have been minimally modified)
• Monitoring for unexpected network flows
• Using Endpoint Detection and Response (EDR) and logging tools such as Microsoft Sysmon or Auditd (on Linux systems) to spot system call or process lineage abnormalities

The NSA has set up a GitHub repository with tools and signatures that can help defenders implement these techniques.

Finally, the agencies warn, organizations that find a web shell on one or more of their systems should investigate how far the attacker penetrated within the network.