A joint report published by the U.S. National Security Agency (NSA) and the Australian Signals Directorate (ASD) is warning of bad actors increasingly exploiting vulnerable web servers to deploy web shells.
The web shells allow attackers to maintain access to a compromised system and execute arbitrary commands. The compromised system could be used by threat actors as the entry point in a target network to gather intelligence and to attempt lateral movements.
“Malicious cyber actors have increasingly leveraged web shells to gain or maintain access on victim networks. Web shell malware is software deployed by a hacker, usually on a victim’s web server, that can execute arbitrary system commands, commonly sent over HTTPS. To harden and defend web servers against this threat, NSA and the Australian Signals Directorate have issued a dual-seal Cybersecurity Information Sheet (CSI).” reads the report.
The document provides valuable information on how to detect and prevent web shells from infecting the servers of the Department of Defense and other government agencies. The report could be useful for administrators that want to defend the servers in their networks from these threats.
“Due to the increasing use of web shells by adversaries to gain reliable access to compromised systems, the ASD and NSA have jointly produced a Cybersecurity Information Sheet (CIS) to help computer network defenders detect, prevent and mitigate the use of this type of malware.” states the ASD.
“This guidance will be useful for any network defenders responsible for maintaining web servers,”
The NSA has also released in its GitHub repository a collection of tools that can be used to prevent the deployment of the webshells and detect/block these threats.
“Cyber actors deploy web shells by exploiting web application vulnerabilities or uploading to otherwise compromised systems. Web shells can serve as persistent backdoors or as relay nodes to route attacker commands to other systems. Attackers frequently chain together web shells on multiple compromised systems to route traffic across networks, such as from internet-facing systems to internal networks” reads the document.
“Though the term “web shells” is predominantly associated with malware, it can also refer to web-based system management tools used legitimately by administrators. While not the focus of this guidance, these benign web shells may pose a danger to organizations as weaknesses in these tools can result in system compromise. Administrators should use system management software leveraging enterprise authentication methods, secure communication channels, and security hardening”
The report also includes a list of security issues commonly exploited by threat actors to deploy web shells, the vulnerabilities affect a broad range of products such as Microsoft SharePoint, Citrix appliances, Atlassian software, WordPress Social Warfare plugin, Adobe ColdFusion, Zoho ManageEngine, and the Progress Telerik UI app building toolkit.
|Vulnerability Identifier||Affected Application||Reported|
|CVE-2019-0604||Microsoft SharePoint||15 May 2019|
|CVE-2019-19781||Citrix Gateway, Citrix Application Delivery Controller, and Citrix SD-WAN WANOP appliances||22 Jan 2020|
|CVE-2019-3396||Atlassian Confluence Server||20 May 2019|
|CVE-2019-3398||Atlassian Confluence Server and Atlassian Confluence Data Center||26 Nov 2019|
|CVE-2019-9978||WordPress “Social Warfare” Plugin||22 Apr 2019|
|Progress Telerik UI||7 Feb 2019|
|CVE-2019-11580||Atlassian Crowd and Crowd Data Center||15 July 2019|
|CVE-2020-10189||Zoho ManageEngine Desktop Central||6 Mar 2020|
|CVE-2019-8394||Zoho ManageEngine ServiceDesk Plus||18 Feb 2019|
|CVE-2020-0688||Microsoft Exchange Server||10 Mar 2020|
|CVE-2018-15961||Adobe ColdFusion||8 Nov 2018|
Please give me your vote for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS
(SecurityAffairs – Web shells, hacking)