Microsoft warns of the rise of web shell attacks

Pierluigi Paganini February 12, 2021

Researchers from Microsoft are warning that the number of monthly web shell attacks has doubled since last year.

Microsoft reported that the number of monthly web shell attacks has almost doubled since last year, its experts observed an average of 140,000 of these software installs on servers on a monthly basis, while in 2020 they were 77,000.

“One year ago, we reported the steady increase in the use of web shells in attacks worldwide. The latest Microsoft 365 Defender data shows that this trend not only continued, it accelerated: every month from August 2020 to January 2021, we registered an average of 140,000 encounters of these threats on servers, almost double the 77,000 monthly average we saw last year.” reads the report published by Microsoft.

A web shell is a code, often written in typical web development programming languages (e.g., ASP, PHP, JSP), that attackers implant on web servers to gain remote access and code execution.

The surge in the number of attacks involving web shells is attributed to their simplicity and efficiency.

The latest Microsoft 365 Defender data shows a growing trend since August 2020.

web shell attacks encounters-trend

Microsoft also provided some tips on how to harden servers against attacks attempting to download and install a web shell.

The experts highlighted challenges in detecting web shell attacks, these malicious codes can be developed using several languages. They are difficult to detect due to their simplicity, threat actors often used webshells for persistence or for early stages of exploitation.

Web shells can be hidden web shells in non-executable file formats, such as media files.

“Web servers configured to execute server-side code create additional challenges for detecting web shells, because on a web server, a media file is scanned for server-side execution instructions. Attackers can hide web shell scripts within a photo and upload it to a web server.” continues the report. “When this file is loaded and analyzed on a workstation, the photo is harmless. But when a web browser asks a server for this file, malicious code executes server side.”

In April 2020, the U.S. NSA and the Australian Signals Directorate (ASD) issued a report to warn of attackers increasingly exploiting vulnerable web servers to deploy web shells.

The document provides valuable information on how to detect and prevent web shells from infecting the servers of the Department of Defense and other government agencies. The report could be useful for administrators that want to defend the servers in their networks from these threats.

The NSA has also released in its GitHub repository a collection of tools that can be used to prevent the deployment of the webshells and detect/block these threats.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, web shell)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment