November 22, 2023 at 03:06PM
Experts say that web shells, which are easy-to-use tools used to issue commands to compromised servers, are becoming more popular among attackers. The use of web shells such as WSO-NG and others by ransomware gangs and in mass exploitation campaigns has been observed. Web shells are difficult to detect and allow attackers to remain anonymous. Defenses against web shells include monitoring web traffic for suspicious patterns and using web application firewalls.
The meeting notes discuss the increasing popularity of web shells as a post-exploitation tool used by attackers. Web shells provide an easy interface to issue commands to compromised servers, and they have become more prevalent as attackers target cloud resources.
One specific web shell mentioned is WSO-NG, which disguises its login site as a 404 “Page Not Found” page and gathers information about potential targets through legitimate services like VirusTotal. It also scans for metadata related to Amazon Web Services to steal developers’ credentials. Other web shells mentioned include those deployed by ransomware groups Cl0p and C3RB3R, exploiting vulnerabilities in enterprise servers.
Maxim Zavodchik, threat research director at Akamai, highlights how web applications have a large attack surface, making them susceptible to exploitation. Web shells are a common next step after exploiting web vulnerabilities because they can communicate in the same language as the web server.
Microsoft has observed a significant increase in the use of web shells, as they allow attackers to run commands on servers for various malicious activities and persist within the organization. Web shells are difficult to detect through static analysis or traffic analysis since they blend in with regular web traffic.
Attackers can leverage off-the-shelf web shells without revealing their identity, as many are readily available on platforms like GitHub. Kali Linux, an open-source Linux distribution, also provides various web shells, making it convenient for penetration testers.
The best defense against web shells is to monitor web traffic for suspicious patterns, anomalous URL parameters, and unknown URLs and IP addresses. Verifying the integrity of servers and employing directory content monitoring can also help detect any changes. Additionally, defensive tools like web application firewalls (WAFs) can provide solid measures by examining traffic flows.