The increase in usage of web shells as persistence mechanisms during network intrusions that Microsoft identified last year has picked up speed quickly in the last few months, with an average of more than 140,000 web shell detections each month.
Data gathered by Microsoft’s security tools shows that in the last six months, web shells have been part of more than 100,000 detected incidents each month, and more than 150,000 in both August and December. Web shells have become popular with several types of attackers, including both cybercrime groups and more sophisticated state-backed teams, likely thanks to their simplicity and the persistence functionality they offer. While they are just small bits of code dropped onto a web server, web shells can be difficult to detect and can allow an attacker to maintain access to a compromised server for a long time.
“Web shells allow attackers to run commands on servers to steal data or use the server as launch pad for other activities like credential theft, lateral movement, deployment of additional payloads, or hands-on-keyboard activity, while allowing attackers to persist in an affected organization,” Microsoft’s Detection and Response Team said in a post on the new data.
“Once installed on a server, web shells serve as one of the most effective means of persistence in an enterprise. We frequently see cases where web shells are used solely as a persistence mechanism. Web shells guarantee that a backdoor exists in a compromised network, because an attacker leaves a malicious implant after establishing an initial foothold on a server. If left undetected, web shells provide a way for attackers to continue to gather data from and monetize the networks that they have access to.”
Attackers will often exploit known vulnerabilities in common server software or network gear in order to gain access to a target server and then install a web shell. Last summer, MIcrosoft’s detection tools saw attackers exploiting a vulnerability in the F5 Networks Traffic Management User Interface just a few days after the bug had been disclosed. Exploit code was publicly available at the time, and attackers quickly took advantage of it to start loading web shells on vulnerable machines.
“The web shell was used to run common cryptocurrency miners. In the days that followed, industry security researchers saw the exploit being broadly used to deploy web shells, with multiple variants surfacing not long after,” Microsoft said.
“Compromise recovery cannot be successful and enduring without locating and removing attacker persistence mechanisms. And while rebuilding a single compromised system is a great solution, restoring existing assets is the only feasible option for many. So, finding and removing all backdoors is a critical aspect of compromise recovery.”
In its initial research released last year, Microsoft reported seeing an average of 77,000 web shell detections per month. Some of the groups that were using web shells in their operations at the time included the Lazarus group, which is tied to the North Korean government, and the Gallium group, a team that has been known to target telecom operators. More recently, attacks that implemented web shells have spiked to more than 140,000 per month, according to Microsoft, an increase that’s worrying both because of the sheer volume and the difficulty of detecting those web shells. Many web shells are quite simple and may look completely benign on first inspection.
“A harmless-seeming script can be malicious depending on intent. But when attackers can upload arbitrary input files in the web directory, then they can upload a full-featured web shell that allows arbitrary code execution—which some very simple web shells do,” Microsoft said.
“These file-upload web shells are simple, lightweight, and easily overlooked because they cannot execute attacker commands on their own. Instead, they can only upload files, such as full-featured web shells, onto web servers.”
For enterprise security teams, there are some keys to defending against web shells. One of the more important things is ensuring proper patching of vulnerabilities in Internet-facing systems, along with good network segmentation to prevent web server compromises from becoming jumping off points for broader network intrusions.