Web shells certainly are not new. They continue to be attractive to threat actors looking to exploit security vulnerabilities and infiltrate corporate networks. As one of the most successful web application attacks, protecting against web shells must be a priority.
A Perfect Match: Rich Targets and Proven Exploits
According to Verizon’s 2021 Data Breach Investigation Report, web application attacks continue to grow. In 2020, this attack surface was the source of 43% of data breaches, double the number from 2019.
Bad actors attack web applications for two primary reasons:
- Most organizations have internet-facing applications: This means attackers have many targets to choose from, such as more well-known applications like WordPress, Magento, Drupal, Joomla, or a custom-developed web application.
- The availability of existing exploits: Over the years, both the hacker and infosec communities share their exploits publicly for well-known web app vulnerabilities. Anyone with an interest can download and use them in their own campaigns.
Why Cyber Adversaries Love Web Shells
For bad actors to get what they want, they need a foothold inside your network — one that gives them some degree of control and functionality.
That’s why they love web shells.
A web shell is a malicious piece of code uploaded to a web server, most often by exploiting a vulnerability in a web application. Written in PHP, ASP, JSP, or any other language the targeted web server can process, the code gives the attacker the ability to perform read, write, and/or execute functions on the server.
Web shells vary in form and functionality. Some are as simple as small snippets of PHP, ASP, or JSP code that enable a single command function to be performed. Most of the time, however, they take the form of a web interface that gives the attacker an administrative panel. After all, why would adversaries bother brute-forcing into an admin console when they can implant their own on a server?
There are historically two common attack vectors that allow a web shell to be placed on a server:
- Arbitrary file upload — An upload function that can be executed on the server with minimal restrictions.
- File inclusion — Files are included within PHP, ASP, or JSP context.
The two most common types of file inclusion are the local file include (LFI) and remote file include (RFI) vulnerabilities. With LFI, code is implanted that requests a web application to serve a file that is on the local system:
- Example: site.com/update.php?page=/path/to/file
For RFI, instead of asking for a local file, code is implanted that requests a web server fetch a remote file and return whatever is in the requested web page:
- Example: site.com/update.php?page=http://site.site/path/to/file
Both methods are highly effective at allowing adversaries to implant malicious code on web servers.
The trend has shifted slightly in recent times, whereby certain new Java-based RCE vulnerabilities sometimes have caused small JSP web shells sent as a payload object to be written to file (e.g., Spring4Shell, CVE-2022-22965) or attackers can send JSP snippets to be loaded in-memory for use as memory-only shells (observed for CVE-2022-26134). As has been the case with historical campaigns, attackers sometimes use initial web shells to deploy secondary web shells that may afford them greater functionality, better familiarity than the smaller initial shells, or even just greater persistence; the system may restart, in which case the web shell on disk persists or, conversely, an administrator may find and delete the web shell on disk and the attacker has the in-memory shell still available, reducing the noise of sending fresh exploitation attempts
The Power of Web Shells
Web shells enable adversaries to execute commands and gain control over a web server. With this power, adversaries can steal data, install other malicious software via remote file requests, pilfer user credentials, and execute system commands.
In addition, web shells help attackers infiltrate deeper into your network. Once implanted on a web server, they can be a launch pad for more attacks, enabling adversaries to traverse your network and infect other servers. In this way, web shells help malicious code achieve persistence — and the longer the code lingers undetected, the more data it can steal.
Well-crafted web shells also can evade remediation. When web application vulnerabilities are identified, most organizations move quickly to apply corrective fixes to eliminate the exposure. However, if the vulnerability already has been exploited and a web shell implanted, adversaries can use these as a backdoor for future attacks, even after the server has been patched.
How Alert Logic Roots Out Web Shells
Web shells are effective for adversaries, which is why we continue to see them used in attacks. What’s old is new again in the sense that we see the same old web shells used over and over, as well as new variants of old ones emerging.
Alert Logic has amassed more than 300,000 web shells over years of research into customer compromises. Those web shells are analyzed through several techniques, including machine learning for creating detections to stay ahead of attackers.
When it comes to detecting web shells, our coverage analyzes both well-known web applications and custom web applications for HTTPS and HTTP traffic. We monitor traffic flow for known exploits and perform in-line blocking to prevent infection.
Our intrusion detection system (IDS) uses telemetry signatures — specific vulnerability signatures — that look across the attack surface for both well-known apps as well as customer apps to find and block attacks.
We also analyze log data. Our web log analytics engine processes logs coming out of web servers looking for web shell activity.
In addition to detection, Alert Logic works proactively to scan for vulnerabilities. Are there down-level applications on your servers that need to be patched? Are there weaknesses in your configuration that make you vulnerable? For well-known applications, our vulnerability scanner addresses over 99% of CVEs. For custom web applications, our PCI scanning covers vulnerability discovery.
To guard against web shell attacks, Alert Logic’s Threat Intelligence team continuously analyzes threat data, tracking new web shell attacks and variants, and incorporating unique detection capability into our Managed Detection and Response® (MDR) solution. To learn more, visit Alert Logic and schedule a live demonstration.