Web Shells Gain Sophistication for Stealth, Persistence

  /     /     /  
Publicated : 23/11/2024   Category : security


Web Shells Gain Sophistication for Stealth, Persistence


A favorite post-exploitation tool continues to gain sophistication, with one recent example adding disguised log-in pages, credential stealing, and information gathering via services such as VirusTotal.



Web shells, a common type of post-exploitation tool that provides easy-to-use interface through which to issue commands to a compromised server, have become increasingly popular as attackers become more cloud-aware, experts say.
A Web shell known as WSO-NG was recently seen disguising its login site as a 404 Page Not Found splash page, gathering information about potential targets through legitimate services such as VirusTotal, and scanning for metadata related to Amazon Web Services as a pathway to stealing developers credentials, internet management firm Akamai stated in
an analysis posted on Nov. 22
. Other Web shells have been deployed by the Cl0p and C3RB3R ransomware gangs, the latter which exploited servers running Atlassian Confluence enterprise server in
a mass exploitation campaign
earlier this month.
Web shells have become an easy-to-use way of issuing commands to compromised servers as attackers increasingly target cloud resources, says Maxim Zavodchik, threat research director at Akamai.
Today, the attack surface that Web applications — not just APIs — allows is really large, he says. So when youre exploiting a Web vulnerability, the easiest next step will be to deploy a Web platform — an implant, something that is not a binary, but talks the same language as the Web server.
Akamai focused on WSO-NG following its use in a massive campaign
targeting Magento 2 e-commerce shops
, but other groups use different Web shells. The Cl0p ransomware group, for example, dropped the DEWMODE and LEMURLOOT Web shells, respectively, after exploiting vulnerabilities in Kiteworks Accellion FTA in 2020 and Progress Softwares MOVEit managed file transfer service in May, according to
a June 2023 analysis by networking firm F5
.
In 2021, Microsoft noted that the use of Web shells had grown dramatically, with the company seeing nearly double the encounters of Web shells on monitored servers compared to the prior year, the company
stated in an analysis
. More recent data is not available.
Web shells allow attackers to run commands on servers to steal data or use the server as [a] launch pad for other activities like credential theft, lateral movement, deployment of additional payloads, or hands-on-keyboard activity, while allowing attackers to persist in an affected organization, Microsoft stated in its analysis.
One reason attackers have taken to Web shells is because of their ability to stay under the radar. Web shells are hard to detect with static analysis techniques, because the files and code are so easy to modify. Moreover, Web shell traffic — because it is just HTTP or HTTPS — blends right in, making it hard to detect with traffic analysis, says Akamais Zavodchik.
They communicate on the same ports, and its just another page of the website, he says. Its not like the classic malware that will open the connection back from the server to the attacker. The attacker just browses the website. Theres no malicious connection, so no anomalous connections go from the server to the attacker.
In addition, because there are so many off-the-shelf Web shells, attackers can use them without tipping off defenders as to their identity. The WSO-NG Web shell, for instance, is available on GitHub. And Kali Linux is open source; its a Linux distribution focused on providing easy-to-use tools for red teams and offensive operations, and it provides 14 different Web shells, giving penetration testers the ability to upload and download files, execute command, and creating and querying databases and archives.
When APT threat actors ... move from specially tailored binary implants to Web shells — either their own Web shells or some generic Web shells — no one could be attributing those factors to the specific groups, Zavodchik says.
The best defenses are monitoring Web traffic for suspicious patterns, anomalous URL parameters, and unknown URLs and IP addresses. Verifying the integrity of the servers is also a key defensive tactic, Malcolm Heath, a senior threat researcher at F5 Networks, wrote in a June post on Web shells.
Directory content monitoring is also a good approach, and some programs exist which can detect changes to monitored directories immediately and roll back changes automatically, the company stated. Additionally, some defensive tools allow for the detection of anomalous process creation.
Other methods include focusing on detecting the initial access and the deployment of a Web shell. Web application firewalls (WAFs), with their ability to look at traffic flows, are also solid defensive measures.

Last News

▸ Sony, XBox Targeted by DDoS Attacks, Hacktivist Threats ◂
Discovered: 23/12/2024
Category: security

▸ There are plenty of online tools for reporting bugs. ◂
Discovered: 23/12/2024
Category: security

▸ 27 Million South Koreans Hit by Online Gaming Theft. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Web Shells Gain Sophistication for Stealth, Persistence