Rewterz Threat Advisory – Detection and Prevention of Web Shell Malware

Severity

High

Analysis Summary

For computer network exploitation, cyber attackers have boosted their usage of web shell malware. Web shell malware is malicious software that a hacker installs on a victim’s web server. It can be used to run any system command that is frequently transmitted over HTTP or HTTPS. DoD components are vulnerable to web shell attacks. Adding or changing a file in an existing online application is a common way for attackers to establish web shells. Web shells provide attackers with persistent access to a compromised network using communication channels disguised to blend in with legitimate traffic. Web shell malware is a long-standing, pervasive threat that continues to evade many security tools. Cyber actors deploy web shells by exploiting web application vulnerabilities or uploading to otherwise compromised systems. Web shells can serve as persistent backdoors or as relay nodes to route attacker commands to other systems. Attackers frequently chain together web shells on multiple compromised systems to route traffic across networks, such as from internet-facing systems to internal networks. It is a common misperception that only internet-facing systems are targeted for web shells. Attackers frequently deploy web shells on non-internet-facing web servers, such as internal content management systems or network device management interfaces. Internal web applications are often more susceptible to compromise due to lagging patch management or permissive security requirements. Though “web shells” is most commonly linked with malware, it can also refer to legitimately utilized web-based system management solutions. These benign web shells, while not the focus of this advice, may constitute a risk to businesses since flaws in these tools can lead to system compromise. Using enterprise authentication techniques, secure communication routes, and security hardening, administrators should employ system management software.

Mitigating Actions (Detection)

• “Known-Good” Comparison
• Web Traffic Anomaly Detection
• Signature-Based Detection
• Unexpected Network Flows
• Endpoint Detection and Response (EDR) Capabilities
• Other Anomalous Network Traffic Indicators

Below are the commonly exploited vulnerabilities used to install web shell malware:

• CVE-2019-0604 : Microsoft Share Point
• CVE-2019-19781 : Citrix16 Gateway, Citrix Application Delivery Controller, and Citrix SD-WAN WANOP appliance 
• CVE-2019-3396  : Atlassian Confluence17 Server
• CVE-2019-3398 : Atlassian Confluence Server and Atlassian Confluence Data Center
• CVE-2019-9978 : WordPress18 Social Warfare Plugin
• CVE-2019-18935 CVE-2017-11317 CVE-2017-11357 :  Progress Telerik19 U
• CVE-2019-11580 : Atlassian Crowd and Crowd Data Center
• CVE-2020-10189 :Zoho Manage Engine 20 Desktop Central
• CVE-2019-8394 : Zoho Manage Engine Service Desk Plus
• CVE-2020-0688 : Microsoft Exchange 21 Server

Impact

• Unauthorized Access
• Remote Code Execution

Remediation

Preventing web shells should be on top of the priority on both internet-facing and internal web servers. Prevention techniques include.

Web Application Update Prioritization

• Enable automatic updating and configure frequent updates (at-least weekly).
• Deploy manual updates on a frequent basis when automatic updating is not possible.

Web Application Permissions

• Web services should follow the least privilege security paradigm.
• Web applications should not have permissions to modify web accessible code.

File Integrity Monitoring

• File integrity monitoring monitors and detects changes in files that may indicate a cyberattack.
• File integrity software can block file changes to web accessible directories or alert when changes occur.

Intrusion Prevention

• Intrusion Prevention Systems (IPS) and Web Application Firewalls (WAF) each add a layer of defense for web applications by blocking some known attacks.
• Organizations should implement these appliances to block known malicious uploads.

Harden Web Servers

• Secure configuration of web servers and web applications can prevent web shells and other compromises.
• Administrators should block access to unused ports or services.
• Routine vulnerability scans can help to identify unknown weaknesses in an environment