Security

How To Detect and Remove Threatening Web Shells

Secretly planted scripts allow malicious actors to enter at a later date. Here’s how to detect and remove them.

Tanya Candia is an international management expert, specializing for more than 25 years in information security strategy and communication for public- and private-sector organizations.

Stealthy, persistent threats that open back doors to targeted systems can be just as dangerous as cyberattacks that pose more immediate risks. These slow-acting hacks rely on malicious scripts uploaded to web servers that permit attackers to administer or control the servers remotely. Web shells are scripts or programs for legitimate web-based system management or administration, but bad actors can use them to gain persistent access to web servers.

The federal Cybersecurity and Infrastructure Security Agency, along with the FBI and international cybersecurity partners, issued an advisory last February warning that malicious actors were exploiting these hidden vulnerabilities.

Click the banner below to learn why cyber resilience is essential for business continuity.

x-cyberresillience1-static-2024-na-desktop

x-cyberresillience1-static-2024-na-mobile

A zero-trust environment can deter web shell attacks, but CISA advises organizations to be on the lookout nonetheless while on the path to zero trust. Common targets include edge devices or other internet-facing technologies. (The attack behind the CISA directive targeted a VPN product.)

Malicious web shells are delivered by exploiting server or web app vulnerabilities or configuration weaknesses, and their popularity with black hat hackers is rising. Microsoft reported tracking an average of 140,000 active web shells every month in 2021.

When Are Web Shells Dangerous?

CISA issued a directive in January notifying organizations of the active exploitation of vulnerabilities in two widely used VPN and network access control solutions.

According to CISA, these vulnerabilities could be exploited to implant a web shell with back door access, enabling an attacker to move laterally in the network to exfiltrate data or execute malware attacks.

Malicious web shells are dangerous not only because they establish back doors into systems, allowing remote attackers to bypass security restrictions and gain unauthorized system access, but also because of how difficult they can be to detect.

FIND OUT: Five tips for remediating malicious activity.

They may be as small as a single line of code, hidden in encrypted HTTPS or encoded plain text, and they can rotate among protocols and ports to obscure their intent.

Attackers can execute web shell payloads hidden in cloud management applications on widely used cloud providers. In the case recently cited by CISA, attackers compromised a product’s internal integrity checker, ensuring it would fail to alert security teams to the breach.

$1.5M

The reduction in data breach costs for organizations with a high level of incidence response planning and testing, versus those who had little to no IR planning

Source: IBM Security, The Cost of a Data Breach Report 2023, December 2023

How To Respond to Malicious Web Shells

To protect against scripts containing malicious web shells, organizations need strong security processes and tools. Ensure software and patches are kept up to date to reduce exposure to vulnerabilities that could be exploited to inject web shells. The Exploit Prediction Scoring System helps teams prioritize remediation efforts.

Use web application firewalls to filter and monitor HTTP traffic to detect and block common web shell patterns. Check content security policies to specify and control the resources that can be loaded to web pages, as well as the users who can access system utilities and directories.

Monitor server logs for suspicious activities, such as unexpected file modifications or unusual access patterns, and disable unnecessary services and ports. Perform regular security audits of the website’s code base, configuration and server settings.

How To Detect and Remove Malicious Web Shells

Detect unwanted web shells as quickly as possible by using file integrity monitoring to identify unexpected changes, such as unusual time stamps. Tools such as Tripwire anomaly detection can establish a baseline of normal website behavior and traffic to help identify anomalous actions.

Review web server logs for suspicious activities, such as requests for nonexistent files or repeated access to specific files. Do the same for website files and other internet-accessible locations, looking for suspicious names or extensions that do not match the content type.

Security solutions from Trellix and Symantec can maintain a signature database of known web shells.

Removing scripts containing web shells from a compromised server involves a careful approach to ensure complete eradication. The malicious actor will have not only left behind a web shell with a back door but also probably exported configurations and private certificates that were on the server.

UP NEXT: What’s the difference between public vs. private key cryptography?

CISA recommends following the vendor’s mitigation instructions until a patch is released; It’s then critical to implement that patch within 48 hours. Hackers exploit 50% of known vulnerabilities within two days of disclosure, according to a Carnegie Mellon University study, so time is of the essence.

Mitigation steps for compromised systems may include backing up the appliance configuration, restoring it to factory settings and then upgrading it to the version that was running prior to factory reset.

In addition, agencies should restore appliance configurations from backup, and revoke and reissue any certificates stored on the affected appliance.

Changing passwords and access permissions is critical. Reset the admin password and application programming interface keys stored on the appliance, passwords for local users defined on the gateway, and license server credentials.

Click the banner below to read the 2024 CDW Cybersecurity Report.