For many organizations, cybersecurity is a “top of mind” concern. Data breaches have become a daily occurrence in recent years, and new data privacy laws, such as the European Union’s General Data Protection Regulation (GDPR), have underscored the risks of failing to properly secure user data.
One of the biggest threats to an organization’s security is its web presence. In general, website security is a major challenge for organizations. Websites are accessible from the public Internet and can contain a wide range of potential vulnerabilities. Many organizations attempt to manage vulnerabilities through manual patching processes – however, this is not a scalable approach. In recent years, over 22,000 new vulnerabilities were discovered annually. Managing vulnerabilities using manual patching is complex and increases the probability that an organization will be vulnerable to exploitation.
Beyond the decision to manage vulnerabilities inefficiently, many organizations overlook extremely common attack vectors. Recently, the US’s National Security Agency (NSA) and the Australian Signals Directorate (ASD) released a bulletin pointing out the threat associated with web shells and highlighting the vulnerabilities that cybercriminals most commonly use to plant them on a target web server.
The Threat of Web Shells
A number of vulnerabilities allow a cybercriminal to gain direct access to sensitive information or functionality. An SQL injection vulnerability allows the attacker to gain download access or modify records in a database. Cross-site scripting (XSS) vulnerabilities allow collection of sensitive information, such as passwords and payment card data, from a vulnerable website.
However, in many cases an attacker wants a greater level of access and control than their initial attack provides. In these cases, a web shell can be an invaluable asset. A web shell is designed to provide an Internet-facing interface to the command line on the web server. An attacker can send commands to the web shell as web requests and receive the results of their commands in the corresponding responses. This enables the attacker to explore the target computer and network and run programs on the web server without using protocols other than HTTPS, which could be detected.
Web shells are difficult to detect and remediate for a variety of reasons. In general, a web shell is easy to create and can be coded in a number of different programming languages. Additionally, web shells can be extremely small. These two features make them hard to detect using signature-based detection since new ones can be written or existing ones can be modified to evade signatures with minimal effort.
How Cybercriminals Plant Web Shells
In some cases, web shells have been installed on the web server by the system administrator. A web shell is useful to a system administrator for the same reasons that it would be useful to a hacker. The web shell makes it easy for an administrator to remotely manage a machine without opening up SSH.
However, the majority of web shells are installed on web servers through exploitation of a vulnerability on the server. In order to raise awareness of these threats, the NSA and the ASD issued a joint advisory outlining the ten vulnerabilities most commonly exploited to plant web shells.
This advisory was designed to draw attention to an attack vector that is often overlooked by security teams. According to Microsoft, they detect an average of 77,000 active web shells on a daily basis. Since web shells are easy to write, can be easily embedded in a web server with a variety of different vulnerabilities, and provide a great deal of protection to an attacker, they are a common step in cybercriminals’ efforts to expand and strengthen their foothold on a network.
Protecting Against Web Shells
Defending against exploitation of vulnerabilities in web applications is a significant challenge for an organization. With tens of thousands of vulnerabilities discovered each year, it can be difficult or impossible to identify and remediate all potential attack vectors on an organization’s systems.
In order to do so, it is necessary to determine the existence of a vulnerability, find the associated patch, test the patch, and apply it to all affected machines. To be effective, all of this must be completed before an attacker can write and deploy an exploit for the vulnerability (which is a much simpler process). Exacerbating this problem, the web shells that take advantage of these vulnerabilities can be extremely small and are relatively simple to write. As a result, it can be difficult to scan for web shells since they are unlikely to be detectable using signature-based detection mechanisms.
The best way to protect against web shells is to close the vulnerabilities that a cybercriminal could use to install them on a web server. A good starting point for this would be the ten vulnerabilities outlined by the NSA and the ASD; however, this is only a temporary solution since an attacker can easily adapt to use a new vulnerability in their attacks.
Attempting to patch every vulnerability in an organization’s attack surface is an unscalable solution to the problem. Instead, an organization should take advantage of the “virtual patching” capabilities offered by a web application firewall (WAF) or runtime application self-protection (RASP) solution. These systems identify and block attempted exploitation of a vulnerable Internet-facing application. By preventing these attacks from succeeding, an organization can eliminate the threat posed by a web shell by ensuring that it can never achieve a foothold on an organization’s systems.