A joint report released by the U.S. NSA and the Australian Signals Directorate (ASD) warns of attackers increasingly exploiting vulnerable web servers to deploy web shells.

A joint report published by the U.S. National Security Agency (NSA) and the Australian Signals Directorate (ASD) is warning of bad actors increasingly exploiting vulnerable web servers to deploy web shells.

The web shells allow attackers to maintain access to a compromised system and execute arbitrary commands. The compromised system could be used by threat actors as the entry point in a target network to gather intelligence and to attempt lateral movements.

“Malicious cyber actors have increasingly leveraged web shells to gain or maintain access on victim networks. Web shell malware is software deployed by a hacker, usually on a victim’s web server, that can execute arbitrary system commands, commonly sent over HTTPS. To harden and defend web servers against this threat, NSA and the Australian Signals Directorate have issued a dual-seal Cybersecurity Information Sheet (CSI).” reads the report.

The document provides valuable information on how to detect and prevent web shells from infecting the servers of the Department of Defense and other government agencies. The report could be useful for administrators that want to defend the servers in their networks from these threats.

Malicious cyber actors are actively using web shells in their intrusion campaigns.



Protect your networks—apply the mitigations listed in the @NSAGov and @ASDGovAu #Cybersecurity Information Sheet found here: https://t.co/5BGbm1Ewy0 pic.twitter.com/6BUf9UV2t1 — NSA/CSS (@NSAGov) April 22, 2020

“Due to the increasing use of web shells by adversaries to gain reliable access to compromised systems, the ASD and NSA have jointly produced a Cybersecurity Information Sheet (CIS) to help computer network defenders detect, prevent and mitigate the use of this type of malware.” states the ASD.

“This guidance will be useful for any network defenders responsible for maintaining web servers,”

The NSA has also released in its GitHub repository a collection of tools that can be used to prevent the deployment of the webshells and detect/block these threats.

“Cyber actors deploy web shells by exploiting web application vulnerabilities or uploading to otherwise compromised systems. Web shells can serve as persistent backdoors or as relay nodes to route attacker commands to other systems. Attackers frequently chain together web shells on multiple compromised systems to route traffic across networks, such as from internet-facing systems to internal networks” reads the document.

“Though the term “web shells” is predominantly associated with malware, it can also refer to web-based system management tools used legitimately by administrators. While not the focus of this guidance, these benign web shells may pose a danger to organizations as weaknesses in these tools can result in system compromise. Administrators should use system management software leveraging enterprise authentication methods, secure communication channels, and security hardening”

The report also includes a list of security issues commonly exploited by threat actors to deploy web shells, the vulnerabilities affect a broad range of products such as Microsoft SharePoint, Citrix appliances, Atlassian software, WordPress Social Warfare plugin, Adobe ColdFusion, Zoho ManageEngine, and the Progress Telerik UI app building toolkit.

Vulnerability Identifier Affected Application Reported CVE-2019-0604 Microsoft SharePoint 15 May 2019 CVE-2019-19781 Citrix Gateway, Citrix Application Delivery Controller, and Citrix SD-WAN WANOP appliances 22 Jan 2020 CVE-2019-3396 Atlassian Confluence Server 20 May 2019 CVE-2019-3398 Atlassian Confluence Server and Atlassian Confluence Data Center 26 Nov 2019 CVE-2019-9978 WordPress “Social Warfare” Plugin 22 Apr 2019 CVE-2019-18935

CVE-2017-11317

CVE-2017-11357 Progress Telerik UI 7 Feb 2019 CVE-2019-11580 Atlassian Crowd and Crowd Data Center 15 July 2019 CVE-2020-10189 Zoho ManageEngine Desktop Central 6 Mar 2020 CVE-2019-8394 Zoho ManageEngine ServiceDesk Plus 18 Feb 2019 CVE-2020-0688 Microsoft Exchange Server 10 Mar 2020 CVE-2018-15961 Adobe ColdFusion 8 Nov 2018

Please give me your vote for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS

https://docs.google.com/forms/d/e/1FAIpQLSe8AkYMfAAwJ4JZzYRm8GfsJCDON8q83C9_wu5u10sNAt_CcA/viewform

Pierluigi Paganini

(SecurityAffairs – Web shells, hacking)

Share this...

Linkedin Reddit Pinterest

Share On