Thought leadership. Threat analysis. Cybersecurity news and alerts.
Microsoft Reports Growing Web Shell Attacks
An average of 77,000 web shell attacks are detected each month on an average of 46,000 distinct computers, this according to the latest report released by Microsoft.
What Is a Web Shell?
Web shell is a malicious code that cybercriminals implant on internet-facing servers to remotely access server functions. This malicious code allows criminals to steal data on the compromised internet-facing server or used this compromised server as a stepping stone for further attacks against their victims.
China Chopper is an example of a web shell. It was first discovered in 2012. After nearly a decade after its discovery, China Chopper remains as the most widely used web shell. Researchers at Cisco Talos Intelligence Group said that as China Chopper is widely available, it’s nearly impossible to attribute this form of attack to a particular group.
Analysis of the China Chopper by researchers at Cisco Talos showed that this web shell allows attackers to retain access to an already compromised web server using a client-side application. This client-side application, the researchers said, contains all the logic needed to control the target, making it handy for threat actors to use. The researchers added that China Chopper only targets systems that run a web server application.
Web Shell Attacks
According to Microsoft, a victim of a web shell attack – an organization in the public sector that Microsoft refused to name – enlisted the services of Microsoft’s Detection and Response Team (DART) to conduct full incident response and remediate the said attack before it could cause further damage.
DART’s investigation showed that the unnamed organization’s attackers implanted a web shell in multiple folders of the organization’s web server. This implanted web shell allowed the attackers to compromise the service accounts and domain admin accounts. DART’s investigation also showed that the initial implanted web shell allowed the attackers to look for additional target systems and install web shells on these additional targeted systems.
Threat groups ZINC, KRYPTON, and GALLIUM are known to have used web shells in their cyber-attacks. According to Microsoft, web shell attackers exploit the security vulnerabilities in web applications or web servers, including the lack of the latest security updates, as well as the lack of antivirus tools, lack of network protection, lack of proper security configuration and lack of informed security monitoring. Attacks typically happen during off-hours or weekends, when attacks are likely not immediately spotted and responded to, Microsoft said.
Security vulnerabilities referred to as CVE-2019-16759 and CVE-2019-0604 are some of those exploited by attackers, Microsoft added. Both CVE-2019-16759 and CVE-2019-0604 had been patched by their respective software vendors.
CVE-2019-16759 is a security vulnerability in vBulletin, a proprietary forum software used by more than 100,000 websites, including websites used by major companies and organizations. CVE-2019-0604, meanwhile, is a security vulnerability in Microsoft SharePoint – a web-based platform that integrates with Microsoft Office. Successful exploitation of CVE-2019-0604 allows an attacker to run malicious code in the context of the SharePoint application pool and the SharePoint server farm account.
On April 23, 2019, the Canadian Centre for Cyber Security issued an alert, warning Canadian organizations of the on-going cyber-attacks that first exploit the security vulnerability of Microsoft SharePoint, in particular, CVE-2019-0604, leading to the deployment of the China Chopper web shell. The following unpatched versions of Microsoft SharePoint are known to be affected: Microsoft SharePoint Server 2019, Microsoft SharePoint Server 2010 SP2, Microsoft SharePoint Foundation 2013 SP1 and Microsoft SharePoint Enterprise Server 2016.
"The China Chopper web shell is extensively used by hostile actors to remotely access compromised web-servers, where it provides file and directory management, along with access to a virtual terminal on the compromised device,” the Canadian Centre for Cyber Security said. “As China Chopper is just 4 Kb in size, and has an easily modifiable payload, detection and mitigation is difficult for network defenders.”
An internal confidential document from the United Nations (U.N.) dated September 20, 2019 and leaked to The New Humanitarianshowed that dozens of servers at the U.N. offices in Geneva and Vienna were illegally accessed starting in July 2019. The internal confidential document from the U.N., seen by the Associated Press, showed that the U.N. attackers were able to access the public organization’s servers by exploiting the security vulnerability of Microsoft’s SharePoint software, in particular, CVE-2019-0604 – a vulnerability that was patched by Microsoft in February and March 2019 but the U.N. failed to update its systems.
Preventive and Mitigating Measures Against Web Shell Attacks
It’s worthy to note that web shells are only deployed on the victims’ internet-facing servers after attackers find an initial loop-hole on the victims’ servers. As shown in the above-mentioned examples, initial entry of the attackers, include unpatched vBulletin (CVE-2019-16759) and unpatched SharePoint (CVE-2019-0604). It’s important, therefore, to patch all your organization’s software in a timely manner as attackers are quick to exploit unpatched software.
In the case of CVE-2019-0604 vulnerability, Microsoft’s March 12, 2019 update should be applied. In the case of CVE-2019-16759, vBulletin’s version 5.5.2/3/4 Patch Level 1 update should be applied. To mitigate vBulletin’s exposure, disable PHP, Static HTML, and Ad Module rendering setting in the administration panel.
It’s also important to practice network segmentation. In network segmentation, your organization’s network is divided into sub-networks. For instance, servers that housed your organization’s critical information and are strictly meant for on-premise use should be part of one sub-network and be kept offline. This way, if attackers manage to infect other sub-networks, this critical sub-network won’t be affected.
You don’t have to face cybercriminals alone. Our experts will help you assess the current state of your cybersecurity posture, and develop a plan to proactively mitigate cyber threats.
Contact us today and protect your most valuable digital assets and your brand’s reputation.
Steve E. Driz, I.S.P., ITCP