In the 21st century, cybercriminals are experimenting and changing tactics every day to fool security products and researchers. They experiment by implementing novel techniques and/or tools to camouflage their cyberattacks, compromise the security, or remote control after invading networks and systems. Web shells — especially if maliciously used — help attackers to do the third task.
But what is a web shell attack?
A web shell is a code or script running on a web server for enabling web admins to remote access. Though it is mostly utilized by web admins for legitimate administration tasks, it is also popular among malicious actors to gain and maintain remote control over the internet-facing web servers.
Once a web shell is placed on a web server and a connection is established with its attackers, the web shell proves a powerful tool in the hands of cybercriminals. Since it assists in remote control, the attackers can act on their malicious objectives such as data exfiltration, service disruption, and more.
A web shell attack is dangerous because it is hard to detect a malicious web shell since it may also be utilized for authorized administrative tasks. That is why security products may overlook a malicious web shell.
Moreover, a simple web shell can do considerable damage depending on the attackers’ commands while maintaining a minimal presence, proving its ill-effects in the wrong hands.
Example of a web shell attack
First of all, an attacker looks for vulnerabilities in the target server — the same as the first step of any cyberattack. Secondly, the attacker leverages a potential vulnerability (Remote File Inclusion, SQL Injection, etc.) to create or install a piece of code or a script on to the webserver.
Finally, the attacker will remotely post or send requests to the installed web shell with the commands to execute on the target web server, and they get executed with local permissions on the web server as if the attacker had direct access to the compromised server.
For example, an attacker finds out a SQL Injection vulnerability is present on a web server named “xyz.com”. Then the attacker leverages that vulnerability to install a web shell (named “shell.php”) on the said website. Finally, the attacker will send remote commands to “shell.php”, and it will run them as those commands are run by an authorized web admin, granting harmful access to the attacker.
Protection against web shell attacks
Web shell attacks come in multiple variations for different languages or platforms, making it difficult for Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) to detect them.
Though behavioral analysis along with signature analysis is more useful at detecting web shells, some web shells are so sophisticated that even behavioral analysis cannot usually detect them. However, there are ways to detect them and protect servers against web shell attacks.
First of all, the easiest way to determine web shells is to look for increasing usage of resources on the web server. Then, they can be detected by comparing web app files against its release version files and looking for discrepancies. Then, they can be detected by monitoring network and web traffic for unexpected flaws or anomalies.
Also, Endpoint Detection and Response (EDR) with logging tools like Auditd or Microsoft Sysmon can be utilized for detecting unexpected system calls or process lineage abnormalities for spotting web shell attacks.
Since the web shells work as post-exploitation tools for the attackers, the first and foremost prevention against web shells is disallowing their creation and/or installation on the servers. A performant vulnerability scanner along with Web Application Firewall (WAF) will help to detect and fix potential vulnerabilities like arbitrary code execution and file upload vulnerabilities.
Such security tools help inspect thousands of vulnerabilities and find potential entry points for the attackers for uploading the web shells. Also, WAF helps detect and filter malicious network packets, minimizing the risk of web shell attacks.
A more modern approach involves consolidated security through extended detection and response (XDR).
This combines the capabilities of an antivirus, EDR, user behavior analysis, network analytics, incident response, and ransomware protection. An XDR solution involves a fully automated security platform that addresses all workflows across the cybersecurity lifecycle, where proactive breach tracking and incident response play a big part in ensuring the integrity of systems. With a holistic approach to security, organizations can expect complete visibility and the ability to detect and stop threats as they emerge. This can be done either through an on-premises or cloud-based approach.
The U.S. National Security Agency and the Australian Signals Directorate have advised organizations to regularly patch and/or update applications and limit permissions for both apps and users on the servers.
"In particular, web applications should not have permission to write directly to a web-accessible directory or modify web-accessible code. Attackers are unable to upload a web shell to a vulnerable application if the web server blocks access to the web-accessible directory," they reported in their joint research.
File integrity monitoring systems must also be implemented to detect and alert and/or block file changes in web-accessible directories. Moreover, organizations should implement Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) along with WAF and improve network security and segregation.
If a web shell is discovered, a thorough investigation must be put in place to detect the reach of the attackers in the compromised networks. Network flow and packet capture data can assist in determining the reach and potential network targets of the web shell.
And finally, the complete installation of the web shell should be cleaned up otherwise the attackers may again get access.