Getty Images

NSA Shares Guide to Web Shell, Malware Vulnerabilities, Mitigation

A joint advisory from NSA and the Australian Signals Directorate reveals the common vulnerabilities exploited by hackers to plant web shell malware and mitigation techniques.

The National Security Agency (NSA) and Australian Signals Directorate released an advisory urging organizations to be alert for common web shell and malware potentially found on web-facing and internal networks, as well as guidance detailing mitigation techniques.

Web shells are part of malicious codes used to gain footholds onto web servers and for proliferating compromise. They’re typically written in common web development programming languages, such as JSP.

Hackers typically create web shells by adding or modifying files within an existing web application and are often deployed on the victim’s web server. Web shells are able to be launched through exploited web applications vulnerabilities or “uploading to otherwise compromised systems.”

Further, cybercriminals will frequently connect web shells through multiple compromised systems to enable route traffic across networks, including through internet-facing systems to internal networks.

“Though the term “web shells” is predominantly associated with malware, it can also refer to web-based system management tools used legitimately by administrators,” officials explained. “While not the focus of this guidance, these benign web shells may pose a danger to organizations as weaknesses in these tools can result in system compromise.”

“While some web shells do not persist, running entirely from memory, and others exist only as binaries or scripts in a web directory, still others can be deeply rooted with sophisticated persistence mechanisms,” they added. “Regardless, they may be part of a much larger intrusion campaign.”

According to the guidance, cybercriminals are increasingly deploying web shell malware on web servers to execute malicious arbitrary system commands. After the malware is deployed, a hacker could be able to gain persistent access to the compromised network.

What’s worse, the threat actors can hide on the victim’s network by using communications that blend with legitimate traffic.

“This means attackers might send system commands over HTTPS or route commands to other systems, including to your internal networks, which may appear as normal network traffic,” officials explained.

“Web shell malware is software deployed by a hacker, usually on a victim’s web server, that can execute arbitrary system commands, commonly sent over HTTPS,” they added. “Web shell malware has been a threat for years and continues to evade detection from most security tools.”

While officials noted there’s a common misconception that only internet-facing systems can be targeted with web shells, it’s simple untrue. Hackers will frequently launch web shells on non-internet-facing web servers, including internal content management systems and network device management interfaces.

In fact, internal web applications are commonly more susceptible to these kinds of attacks given many organizations have laxed or lagging patch management or permissive security requirements.

And IT teams may find it difficult to detect web shells given they’re easily modified by hackers, who often use encryption, encoding, and obfuscation to hide the malicious activity.

“A defense-in-depth approach using multiple detection capabilities is most likely to discover web shell malware. Detection methods for web shells may falsely flag benign files,” officials explained. “Administrators should use system management software leveraging enterprise authentication methods, secure communication channels, and security hardening.”

NSA and ASD provided several recommended detection techniques, including “known good” comparison, web traffic anomaly detection, signature-based detection, unexpected network flows, endpoint detection and response capabilities, and other network traffic indicators like recurring off-peak access times.

It’s imperative web shells are prioritized on both internet-facing and internal web servers, officials warn. These measures should begin with web application update prioritization, as hackers will target vulnerabilities in these endpoints within 24 hours of a patch release.

IT teams should always patch outdated software as soon as possible, while enabling automatic updates and frequent update scheduling: daily updates are recommended. Manual updates should be done frequently, when automatic updates are not possible.

Least privilege security should be the mantra of all enterprises, especially regarding web applications. Officials explained that web applications should not be given permissions to write directly to a web accessible directory or modify web accessible code.

“Attackers are unable to upload a web shell to a vulnerable application if the web server blocks access to the web accessible directory,” according to the guidance. “To preserve functionality, some web applications require configuration changes to save uploads to a non-web accessible area.”

“Prior to implementing this mitigation, consult documentation or discuss changes with the web application vendor,” it continued.

When these measures are not possible, IT teams should lean on file integrity monitoring for a “similar effect.” File integrity software is designed to block file changes to any web accessible directory or alert the administrator to changes, while allowing certain file changes and blocking others.

Organizations may also consider implementing Intrusion Prevention Intrusion Prevention Systems (IPS) and Web Application Firewalls (WAF), which create defense layers by blocking various known attacks and malicious uploads.

NSA and ASD also urged organizations to implement the OWASP, Open Web Application Security Project, which details “patterns for blocking certain malicious uploads.”

“As with any signature-based blocking, attackers will find ways to evade detection, so this approach is only one part of a defense-in-depth strategy,” officials wrote. “Note that IPS and WAF appliances may block the initial compromise but are unlikely to detect web shell traffic.”

“To maximize protection, security appliances should be tailored to individual web applications rather than using a single solution across all web servers. For instance, a security appliance configured for an organization’s content management system can include application specific rules to harden targeted weaknesses that should not apply to other web applications,” they added.

Further, security tools should be enable to receive real-time mitigations for any emerging threat. The guide also recommends the use of network segmentation and the hardening of web servers to prevent web shells and other compromises.

Once an organizations has discovered a web shell, IT teams should seek to determine whether the attacker further penetrated the network. For those instances, NSA and ASD recommended the use of packet capture (PCAP) and network flow data, which can help detect whether the web shell was being used to proliferate across the network and to what location.

“If such a pivot is cleaned up without discovering the full extent of the intrusion and evicting the attacker, that access may be regained through other channels either immediately or at a later time,” officials warned.

The web shell guidance also provides in-depth technical insights for IT teams to assist with detection in web traffic and internet information services, among other penetration points.

Next Steps

Dig Deeper on Cybersecurity strategies