Web Shell Malware Facilitates Cybercriminals' Access to Victims’ Networks, New Report Shows

A recent report from the national security agencies in Australia and the US showed that cybercriminals are increasingly using web shell malware to access victims’ networks.

In a joint advisory, Australia’s national security agency, the Australian Signals Directorate (ASD), and its counterpart in the US, the National Security Agency (NSA) said that cybercriminals have increased the use of web shell malware for computer network exploitation.

"Web shell malware can facilitate cyber attackers' access to a network where they are able to execute arbitrary system commands, enumerate system information, steal data, install additional malicious software or use the infected server to pivot further into the network," the ASD said in a separate statement. The NSA, meanwhile, said in a separate statement, “Malicious cyber actors have increasingly leveraged web shells to gain or maintain access on victim networks.” 

What Is Web Shell Malware?

Web shell malware is a type of malicious software that’s deployed by an attacker on a compromised web server – referring to a software to which web browsers connect to run web applications. A web application, meanwhile, refers to a set of code written to perform certain action or actions on a web server and display the result to a web browser.

An example of a web shell malware is China Chopper, a malware that allows attackers to execute various commands on the server, including dropping other malware. First found in the wild in 2012, this web shell malware uses a simple and short code that can be deployed on the target web server by simply typing it with no file transfer needed. Due to the malware’s simple code and ease of use, security researchers have difficulty in connecting this malware to any particular threat actor or group.

Preventive and Mitigating Measures Against Web Shell Malware?

The national security agencies in Australia and the US recommend the following preventive and mitigating measures against web shell malware:

1. Web Application Update

Web shell malware is often created by making changes to a file in a legitimate web application. Attackers are able to make malicious changes to legitimate web applications due to the failure of the users’ to apply in timely manner patches to known security vulnerabilities in web applications.

According to the national security agencies in Australia and the US, web application updates need to be prioritized as attackers sometimes target vulnerabilities in internet-facing and internal web applications within 24 hours of a patch release.

2. Early Detection Methods

Web shell malware is hard to detect using typical detection methods as malware creators hide their creation using encryption and obfuscation. “Known-Good” comparison and monitoring anomalous network traffic are some of the suggested measures.

In known-good comparison, a verified version of a web application is compared to your organization’s on-hand version of the web application. Discrepancies between the verified version and the on-hand version need to be manually reviewed.

Depending on the attacker, any of the following could be indicators of anomalous network traffic resulting from web shell malware: unusually large responses (an indicator of data exfiltration), recurring off-peak access times typically during non-working hours, and request from unlikely geographical location (an indicator of a foreign threat actor).

3. Harden Web Application Permissions

According to the national security agencies in Australia and the US, web applications shouldn’t have permission to write directly to a web accessible directory or modify web accessible code. The national security agencies said that malicious actors are unable to upload a web shell to a vulnerable web application if the web server blocks access to the web accessible directory.

In February of this year, Microsoft reported that attackers uploaded a web shell in multiple folders on the web server owned by an organization in the public sector. "DART’s [Microsoft’s Detection and Response Team] investigation showed that the attackers uploaded a web shell in multiple folders on the web server, leading to the subsequent compromise of service accounts and domain admin accounts,” Microsoft said. “This allowed the attackers to perform reconnaissance using net.exe, scan for additional target systems using nbtstat.exe, and eventually move laterally using PsExec.”

4. Use Intrusion Prevention

The use of Web Application Firewall (WAF) adds an extra layer of defence for web applications by blocking some known attacks. Attackers, however, have been known to evade this signature-based blocking, as such, this approach should only be part of the whole cybersecurity measures. WAF has also been known to block the initial compromise but is unlikely to detect web shell traffic.

5. Network Segmentation

Network segmentation refers to the practice of dividing a network into sub-networks. This practice ensures that in case a particular sub-network is compromised by attackers, the other sub-networks won’t be affected.

For instance, it’s important to put in place in one sub-network internet-facing servers. The practice of network segmentation blocks web shell propagation by preventing connections to other sub-networks. “While web shells could still affect a targeted server, network segmentation prevents attackers from chaining web shells to reach deeper into an organization’s network,” the national security agencies in Australia and the US said.

6. Harden Web Servers

Securing the configuration of your organization’s web servers can prevent the deployment of web shell malware. As additional measures to harden web servers, the national security agencies in Australia and the US recommend that access to unused ports or services should be blocked, and routine vulnerability scanning should be conducted to identify unknown weaknesses in an environment.

When Patching Isn’t Enough

While patching is one of cybersecurity’s best practices, in some cases, this best practice isn’t enough to protect your organization’s network. Such is the case of patching your organization’s Pulse Secure VPN product.

Pulse Secure VPN Patch

On April 24, 2019, VPN vendor Pulse Secure released software updates, also known as patches, addressing multiple security vulnerabilities, including a patch for the security vulnerability designated as CVE-2019-11510. This security vulnerability allows an unauthenticated remote attacker with network access via HTTPS to send a specially crafted URI to perform an arbitrary file reading vulnerability.

Because of the CVE-2019-11510 vulnerability, an attacker will then be able to view files, such as plain text cache of credentials of past VPN users. Armed with stolen credentials, an attacker can pretend to be a legitimate Pulse Secure VPN user. The following are the affected Pulse Secure VPN versions:

• Pulse Connect Secure 9.0R1 - 9.0R3.3
• Pulse Connect Secure 8.3R1 - 8.3R7
• Pulse Connect Secure 8.2R1 - 8.2R12
• Pulse Connect Secure 8.1R1 - 8.1R15
• Pulse Policy Secure 9.0R1 - 9.0R3.1
• Pulse Policy Secure 5.4R1 - 5.4R7
• Pulse Policy Secure 5.3R1 - 5.3R12
• Pulse Policy Secure 5.2R1 - 5.2R12
• Pulse Policy Secure 5.1R1 - 5.1R15

Following the release of Pulse Secure security updates, Cyber Security Centers in several countries, including Canada, US and Japan have issued alerts calling local organizations to apply in a timely manner the security updates released by Pulse Secure, including the patch for CVE-2019-11510.

Post Pulse Secure VPN Patching Exploitation

The United States’ Cybersecurity and Infrastructure Security Agency (CISA) recently issued a follow-up alert, warning organizations that those that applied the April 24, 2019 Pulse Secure VPN update could still face continued threat actor exploitation post Pulse Secure VPN patching. According to CISA, as the security vulnerability CVE-2019-11510 allows attackers to steal victim organizations’ credentials, failing to change those stolen credentials allows an attacker to move laterally through the organization’s network even after the organization has patched this vulnerability.

CISA reported it observed threat actors used connection proxies, such as Tor infrastructure and virtual private servers (VPSs), to lessen the chance of detection when they connected to victims’ networks via Pulse Secure VPN. The US Cybersecurity Agency found that once inside the victims’ networks, threat actors conducted the following malicious activities:

• Creating persistence via scheduled tasks/remote access trojans
• Amassing files for exfiltration
• Executing ransomware on the victim’s network environment

CISA added that, in one case, it observed a malicious actor attempting to sell the stolen Pulse Secure VPN credentials after 30 unsuccessful attempts to connect to a victim’s network to escalate privileges and drop ransomware. CISA also noted that this same malicious actor successfully dropped ransomware at hospitals and U.S. Government entities.

CISA further reported that malicious actors that leveraged stolen Pulse Secure VPN credentials used tools such as LogMeIn and TeamViewer. LogMeIn is a software that allows users to remotely access another computer. TeamViewer, meanwhile, is an all-in-one solution for remote support, remote access and online meetings. According to CISA, LogMeIn and TeamViewer enable malicious actors to maintain access to the victim’s network environment if they lost their primary connection, that is, via VPN access.

Preventive and Mitigating Measures Against Post Pulse Secure VPN Patching Exploitation

As many organizations encourage employees to work from home as a result of the current COVID-19 crisis, the use of VPN products has been increasing. It’s important to secure this communication line between remote workers and your organization.

Patching, from the word “patch”, is a set of changes to the source code of a software program for the purpose of fixing a known security vulnerability or to improve it.

While patching is still one of the top cybersecurity best practices, this practice alone isn’t enough especially when the exploited security vulnerability involves stolen authentication credentials. According to the US Cybersecurity Agency, organizations that have applied patches for CVE-2019-11510 may still be at risk for exploitation from compromises that occurred pre-patch.

Below are the suggested detection methods by the US Cybersecurity Agency to find out if your organization had been targeted before applying the Pulse Secure VPN patch.

• Turn on unauthenticated log requests.
• Check logs for exploit attempts. To detect exploit attempts, look in the logs for strings such as ../../../data.
• Manually review logs for unauthorized sessions, in particular, sessions originating from unexpected geo-locations.
• Run CISA’s detection tool – a tool that’s available on CISA’s GitHub page. This tool allows system administrators to triage logs (provided authenticated request logging is turned on) and automatically search for CVE-2019-11510 exploitation.

The following are the additional suggested mitigating measures against post Pulse Secure VPN patching exploitation:

• Look for software programs installed without authorization.
• Remove software programs, especially those that allow remote access not approved by your organization.
• Remove any remote access trojans – malicious software that disguised as legitimate software.
• Check scheduled tasks for scripts or executables that could allow an attacker to connect to your organization’s work stations or servers.

“If organizations find evidence of malicious, suspicious, or anomalous activity or files, they should consider reimaging the workstation or server and redeploying back into the environment,” the US Cybersecurity Agency said.

Vulnerable Remote Working Technologies to Watch Out

Mass workforce working remotely has come way too soon as a result of the COVID-19 social distancing restrictions. This sudden shift, however, gives many organizations little time to prepare.

Vulnerable Remote Working Technologies

Below are some vulnerable remote working technologies to watch out as these vulnerabilities could allow cybercriminals to gain a foothold within your organization’s network:

VPN Vulnerabilities

VPN, short for virtual private network, is particularly aimed at remote workers and workers in branch offices to access corporate networks in a secure and private manner.

In 2019, security researchers have found and disclosed several security vulnerabilities in several VPN products. While vendors of these vulnerable VPN products, within a certain period of time, released security updates – also known as patches – fixing these disclosed security vulnerabilities, some users have delayed applying these patches resulting in the active exploitation of the disclosed security vulnerabilities.

Here are examples of VPN security vulnerabilities that have been actively exploited in the wild by cyberattackers:

- CVE-2018-13382: A security vulnerability in Fortinet Fortigate VPN that could allow an unauthenticated user to change the VPN user passwords.

- CVE-2019-1579: A vulnerability in the Palo Alto GlobalProtect VPN that could allow a remote, unauthenticated actor to execute arbitrary code on the VPN server.

- CVE-2019-11510: Multiple security vulnerabilities in the Pulse Connect Secure and Pulse Policy Secure products that could allow a remote, unauthenticated actor to view cached plaintext user passwords and other sensitive information.

- CVE-2019-19781: A security vulnerability in Citrix Gateway virtual private network servers that could allow an attacker to remotely execute code without needing a login.

-VPN 2-Factor Authentication Bypass

Researchers at Fox-IT reported that a threat actor was able to gain VPN access to a victim’s network that was protected by 2-factor authentication (2FA).

“An interesting observation in one of Fox-IT’s incident response cases was that the actor steals a softtoken for RSA SecurID, which is typically generated on a separate device, such as a hardware token or mobile phone,” researchers at Fox-IT said. “In this specific case, however, victims using the software could also use a software-based token to generate 2-factor codes on their laptop. This usage scenario opens up multiple possibilities for an attacker with access to a victim’s laptop to retrieve 2-factor codes used to connect to a VPN server.”

Vulnerable Remote Working Apps

The COVID-19 crisis has turned the video-teleconferencing app a must-have. This technology allows employers and employees in different geographical locations to conduct meetings in real-time by using simultaneous audio and video transmission.

Amidst the COVID-19 crisis, the video-teleconferencing app called “Zoom” has come into the limelight, not just because of the growing number of users but because of the security threats that slowly come to light.

On March 23, 2020, security researcher known only as @_g0dmode on Twitter disclosed a security vulnerability in Zoom’s video-teleconferencing app. "#Zoom chat allows you to post links such as \\x.x.x.x\xyz to attempt to capture Net-NTLM hashes if clicked by other users," @_g0dmode said. Security researcher Matthew Hickey expounded @_g0dmode’s discovery saying that Zoom’s video-teleconferencing app can be used to steal Windows credentials of users.

RDP Vulnerabilities

Vulnerabilities in Remote Desktop Protocol (RDP) – a network communications protocol developed by Microsoft that provides remote access over port 3389 – have recently been disclosed by Microsoft.

-CVE-2019-0708: Dubbed as “Bluekeep”, this vulnerability allows an unauthenticated attacker to connect to the target system using RDP and send specially crafted requests.

- CVE-2020-0609 and CVE-2020-0610: Collectively dubbed as “BlueGate”, this vulnerability similarly allows an unauthenticated attacker to connect to the target system using RDP and sends specially crafted requests.

According to Microsoft, Bluekeep and BlueGate are pre-authentication vulnerabilities and require no user interaction. Microsoft described Bluekeep and BlueGate in the same way: “An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Cybersecurity Best Practices

The above-mentioned security vulnerabilities on their own could allow malicious actors to gain access to your organization’s networks, for instance, through ransomware lockdown. Allowing remote workers to access your organization’s networks creates a much larger attack surface for cybercriminals.

Here are some cybersecurity best practices to keep your organization’s networks and your organization’s remote workers safe online:

Keep All Software Up to Date

All the above-mentioned security vulnerabilities have available patches. Apply these patches in a timely manner to keep your organization’s networks and remote workers safe online.

Be Mindful of How Your Organization’s Data Is Handled

In early April of this year, researchers at the University of Toronto reported that Zoom – a Silicon Valley-based company that owns 3 companies in China through which nearly 700 employees are paid to develop the app – used an encryption method that isn’t recommended as “patterns present in the plaintext are preserved during encryption”. The researchers also found that some of Zoom’s video-teleconferencing traffic was being routed through China even though all participants of the video-teleconference were in North America.

Zoom, for its part, said in a statement that the routing of some of Zoom’s video-teleconferencing traffic was a mistake and apologized for the said incident.

Stay safe!

7 Pillars of Cloud Data Governance

Cloud computing is fast becoming the norm. Even before COVID-19 forced countless businesses to switch to a remote structure and allow employees to work from home via cloud-based software, more than 70 percent of Canadian companies had migrated to the cloud.

While cloud computing offers a wealth of benefits (scalability, vast storage, task automation, remote accessibility, etc.), data security is a key risk organizations must consider.

This is where cloud data governance comes in.

What is Data Governance?

Data governance helps businesses to take tighter control of information related to its own operations, customers, finances, and strategies. Poor management can leave data in the wrong hands and allow unauthorized users to take advantage of weaknesses, such as gaining access to your accounts, supplying competitors with corporate secrets, and exploiting customers.

Effective data governance lets companies leverage information to make smarter decisions, understand target audiences, identify potential security vulnerabilities, and measure overall performance. Gathering data and analyzing it properly can help businesses manage their finances, supply chains, and production processes effectively over time.

Establishing a proper data governance framework encourages teams to treat data responsibly and follow processes that prevent breaches. Data will be created, stored, and deleted according to strict guidelines. This ensures organizations comply with regulations (such as GDPR) and minimize oversights that could cause severe reputational damage.

Without data governance, companies may lose track of which data has been gathered, where it is stored, which steps are required for compliance, and more.

In short: with so much critical data now stored and analyzed in the cloud, data governance is essential for security and efficiency.

7 Pillars of Cloud Data Governance

When putting a cloud data governance framework in place, organizations must consider the following factors as fundamental pillars:

1. Define your goals and motivations

First and foremost: identify those concerns and goals motivating your business to implement a data governance strategy.

This can vary from one company to another. Security may be a core concern prompting your organization to take cloud data governance seriously, particularly with more than 28 million Canadians affected by a data breach within just 12 months.

Hackers continue to leverage increasingly sophisticated techniques to gain unauthorized access to systems, and businesses’ cybersecurity defenses must be reinforced to mitigate dangers. If security is a main driver, companies should explore how they’re at risk and the ways in which data governance reduces them.

Whatever the main drivers, they have to be clarified and discussed to justify the level of investment channeled into effective data governance. This establishes fixed goals that can drive quality decision-making from the start.

2. Establish clear roles within your team

Accountability is vital in building a cloud data governance framework. Certain individuals should be responsible for specific data assets (such as customer records) and have the knowledge to make decisions concerning utilization.

These ‘data owners’ should be chosen carefully based on their familiarity with the entities and their purpose, such as the team/person most likely to recognize an issue with the relevant data.

Data owners must be able to understand a data asset’s function and value within the business. They need the authority to greenlight actions, such as cleansing or improving the application of relevant data.

3. Bring key stakeholders up to date

Internal and external stakeholders should be aware of the current and planned status of data governance. Implementing a framework must be a well-planned, well-informed process, in which all key personnel understand why, how, and when changes are taking place.

All stakeholder needs must be considered when putting cloud data governance into effect. This includes shareholders, third-party vendors, business partners, and customers — improper collection, storage, and utilization of data in the cloud can have profound effects on them all.

4. Determine critical data elements

Critical data elements (CDEs) are classified as data which is essential for success in one or more areas of business. CDEs might contain personal information that must be protected to ensure compliance with privacy laws, such as that relating to a customer, supplier, or a product’s manufacturing process.

If any of these were to be compromised, business operations and quality could be put at risk. As a result, critical data elements should be determined when setting a cloud data governance framework in place, to keep them secure and managed properly to make the most of the information available.

5. Choose the most valuable metrics for performance tracking

Certain metrics can be utilized to measure the performance and value of data governance over time.

These may include cost reduction, data accuracy, the number of times data has to be updated to address issues, timeliness of data, and more. Monitor your chosen metrics consistently to identify potential improvement opportunities.

6. Pick your tools and technologies wisely

The right tools help to make effective data governance easier. They cultivate stronger decision-making, data management, and data quality, while automating smaller tasks for more time-efficient processes.

Popular data governance tools include Talend, Collibra, IBM, and IO-TAHOE. Choose your tools and technologies carefully to make sure they align with your business goals, processes, expectations, and budget. Again: don’t rush into a decision. Good data governance is too valuable to underestimate.

7. Keep your team educated and updated

It’s crucial that all employees and stakeholders stay updated on the value of effective cloud data governance. Regular training should be delivered in accessible programs, covering procedures, policies, data owners, technologies, and crisis responses.

This reduces the risk of mistakes or oversights caused by educational blind spots. When you first start building your data governance framework, try to identify the current level of awareness and put training programs which align with this in place.

Cloud data governance is fundamental for any company switching to cloud-based technologies. Cybersecurity and compliance are two of the most important elements to consider when putting a framework in place: errors in either can lead to serious problems with the potential to disrupt operations significantly.

To discuss our data governance, third-party risk management, compliance, and vulnerability management services, just get in touch today!

Cybercriminals Take Advantage of the COVID-19 Crisis by Launching DDoS Attacks

As a significant number of people have shifted to working remotely from home in light of the COVID-19 pandemic, cybercriminals are taking advantage of the current crisis by launching distributed denial-of-service (DDoS) attacks.

What Is DDoS Attack?

DDoS, short for distributed denial-of-service, is a type of cyberattack by which an attacker hijacks vulnerable computers and controls these hijacked computers as a “botnet” – a group of hijacked computers controlled by an attacker to perform malicious activities such as DDoS attacks.

DDoS enables attackers to launch more attack power on a target such as a particular website, driving more traffic to this targeted website and rendering this target unable to serve its legitimate users. DDoS attacks nowadays can be launched by low skilled attackers as botnets aimed for DDoS attackers are being rented out as “attack-for-hire” services, making this type of crime readily available and relatively cheap.

DDoS attack-for-hire services and the mere fact that those that launch the actual attacks are hijacked computers make attribution of the real source of the DDoS attack difficult to identify.

DDoS Attacks During the COVID-19 Pandemic

As of April 4, 2020, the Canadian Government reported 13,882 confirmed COVID-19 cases and 231 confirmed deaths in Canada. Globally, as of April 5, 2020, the World Health Organization (WHO) reported 1,093,349 confirmed COVID-19 cases and 58,620 confirmed deaths worldwide.

The COVID-19 pandemic, which resulted in the lockdown or quarantine of nearly a billion people worldwide, gave way to the unprecedented number of people shifting to working remotely from home. This global crisis requires everyone to step up in terms of cybersecurity as attackers have seemed to be stepping up in exploiting the crisis.

DDoS attackers collectively exploit the growing need of businesses to serve their customers online. In the foreword of the paper "Catching the virus cybercrime, disinformation and the COVID-19 pandemic", Catherine De Bolle, Executive Director of the European Union Agency for Law Enforcement Cooperation, better known under the name Europol, said: "This pandemic brings out the best but unfortunately also the worst in humanity. With a huge number of people teleworking from home, often with outdated security systems, cybercriminals prey on the opportunity to take advantage of this surreal situation and focus even more on cybercriminal activities.”

The Europol reported that since the outbreak of the COVID-19 pandemic, there has been a slight increase in DDoS attacks. The report added that it’s expected that there will be an increase in the number of DDoS attacks in the short to medium term. “Due to a significant increase in the number of people working remotely from home, bandwidth has been pushed to the limit, which allows perpetrators to run ‘extortion campaigns’ against organisations and critical services and functions,” the Europol said.

Last March 19, Jitse Groen, Founder and CEO of Takeaway.com, shared a screencap via Twitter a message from the DDoS attacker or attackers. The attackers demand from Groen 2 bitcoins (valued nearly 14,000 USD as of April 5, 2020).

Groen’s company Takeaway.com is one of Europe’s leading online food delivery marketplace, connecting consumers and restaurants in different European countries. The attackers told Groen that one of his company’s websites was under DDoS attack and the attackers threatened to attack another company website.

In another part of the globe, last March 15, DDoS attackers attempted to launch an attack on the U.S. Department of Health and Human Services (HHS) website using an undisclosed flood of DDoS traffic. “On Sunday, we became aware of a significant increase in activity on HHS cyber infrastructure and are fully operational as we actively investigate the matter,” HHS spokeswoman Caitlin Oakley said in a statement.

Officials told Bloomberg that the campaign of disruption on HHS’s website was part of a campaign of disinformation that was aimed at undermining the response of the U.S. Government to the COVID-19 pandemic. The HHS website is one of the go-to places for US citizens looking for health information, including official announcements and links to COVID-19 updates from the Centers for Disease Control and Prevention (CDC).

How to Protect Your Organization’s Website from DDoS Attacks

In a DDoS attack, two vulnerabilities are exploited by attackers: vulnerable computers hijacked for botnets and vulnerable websites.

Vulnerable computer systems, including IoT devices such as routers, often don’t have sound security postures, making them easy prey for DDoS attackers. These IoT devices come with default username and password combinations that are never changed by users, making them vulnerable to be exploited as part of a botnet for DDoS attacks.

By using IoT products’ default username and password combinations, a DDoS attacker can easily hijack hundreds of thousands of these IoT devices, all along without the knowledge of the owners of the IoT devices. To prevent your organization from being part of the bigger DDoS problem, ensure that default username and password combinations of IoT devices are changed to stronger authentication credentials.

Owners of websites that are vulnerable to DDoS attacks often don’t even realize that their websites are under DDoS attacks as symptoms of these attacks are similar to non-malicious activities such as slow network performance in either accessing the website or in opening files or total unavailability of a website. Owners of sites that are under DDoS attacks often only know about this form of attack when notified by the attackers themselves.

A DDoS attack can best be monitored via a firewall or intrusion detection system. Through this firewall or intrusion detection system, rules can be set up to detect unusual traffic or drop network packets when certain criteria are met.

When you are concerned about DDoS attacks or already under attack, give us a call at 1.888.900.DRIZ (3749) or contact us online.

Call today and we will mitigate DDoS attack in under 10-minutes. Best of all, there is no hardware or software to buy or maintain, and no IT support requirements. Stay safe!