The number of attacks using web shells continues to rise steadily, with an average of 140,000 such threats being detected on compromised servers each month, Microsoft warns. According to the tech giant, the number of web shell attacks nearly doubled from the previous year.
A web shell is a small tool that hackers place on target web servers to gain remote access to server functions. It also allows attackers to run commands on servers to steal data or use the compromised server as a launch pad for other activities, such as credential theft, lateral movement within the network, deployment of additional malicious payloads, or hands-on keyboard activity.
Attackers typically search for vulnerable servers on the Internet and install web shells by exploiting security holes such as flaws in web applications or servers connected to the Internet.
“Web shells can be built using any of several languages that are popular with web applications. Within each language, there are multiple means of executing arbitrary commands and there are multiple means of arbitrary attacker input. Attackers can also hide instructions in the user agent string or any of the parameters that are passed during a client / web server exchange, ”Microsoft said.
The Windows manufacturer also shared some recommendations on how to harden servers against web shell attacks. Are here:
- Identify and correct vulnerabilities or incorrect configurations in web applications and web servers. Use Threat and Vulnerability Management to discover and correct these weaknesses. Deploy the latest security updates as soon as they are available.
- Implement proper segmentation of your perimeter network so that a compromised web server does not compromise the business network.
- Enable virus protection on web servers. Activate cloud-delivered protection for the latest defenses against new and emerging threats. Users should only be able to upload files to directories that can be scanned by antivirus and configured to disallow server-side scripting or execution.
- Audit and review web server logs frequently. Be aware of all systems that you directly expose to the Internet.
- Use Windows Defender Firewall, intrusion prevention devices, and your network firewall to prevent command and control server communication between endpoints whenever possible, limiting lateral movement as well as other attack activities.
- Check your firewall and perimeter proxy to restrict unnecessary access to services, including access to services through non-standard ports.
- Practice good credential hygiene. Limit the use of accounts with domain or local administrator level privileges.
– .
