Show vulnerabilities with patch / with exploit
24 April 2020

NSA, ASD issue a guidance for mitigating web shell malware


NSA, ASD issue a guidance for mitigating web shell malware

The U.S. National Security Agency (NSA) and the Australian Signals Directorate (ASD) have for the first time released a joint security advisory warning of cyber actors increasingly deploying web shells to gain persistent access to compromised networks.

“Attackers often create web shells by adding or modifying a file in an existing web application. Web shells provide attackers with persistent access to a compromised network using communication channels disguised to blend in with legitimate traffic. Web shell malware is a long-standing, pervasive threat that continues to evade many security tools,” the NSA said.

In the 17-page long report the two intelligence government agencies provide a wide range of information on how to detect hidden web-shells, prevent and manage the response to the intrusion, etc.

The report also includes a list of web application vulnerabilities that are commonly exploited to install malware, including flaws in popular applications like Microsoft SharePoint, Microsoft Exchange, Citrix, Atlassian Confluence, WordPress, the Zoho ManageEngine, and Adobe ColdFusion.

This list was not intended to be exhaustive, but rather supposed to provide insight on some frequently exploited cases, the agencies explained.

"Organizations are encouraged to patch both internet-facing and internal web applications rapidly to counter the risks from 'n-day' vulnerabilities," the NSA and the ASD added.

Additionally, the security advisory contain tools to help system administrators detect and resist these types of threats, including:

  • Scripts to compare a production website to a known-good image

  • Splunk queries for detecting anomalous URLs in web traffic

  • An Internet Information Services (IIS) log analysis tool

  • Network traffic signatures for common web shells

  • Instructions for identifying unexpected network flows

  • Instructions for identifying abnormal process invocations in Sysmon data

  • Instructions for identifying abnormal process invocations with Auditd

  • HIPS rules for blocking changes to web-accessible directories

Tools and signatures to help defend networks against web shell malware are also available in the NSA’s dedicated GitHub repository.

Back to the list

Latest Posts

REvil ransomware group announces its first ever stolen data auction

REvil ransomware group announces its first ever stolen data auction

REvil ransomware operators escalate their extortion tactics.
3 June 2020
Apple fixes recent iPhone “unc0ver” jailbreak flaw

Apple fixes recent iPhone “unc0ver” jailbreak flaw

The vendor issued the security patches less than a week after the hackers have released jailbreak tool called “Unc0ver”.
3 June 2020
DopplePaymer ransomware operators leak NASA-related files allegedly stolen from DMI

DopplePaymer ransomware operators leak NASA-related files allegedly stolen from DMI

The gang says it breached the network of one of NASA IT contractors.
3 June 2020
Featured vulnerabilities
MitM attack in GnuTLS
Medium Patched | 04 Jun, 2020
Spoofing attack in Docker
Medium Patched | 03 Jun, 2020
Information disclosure in GitLab
Medium Patched | 03 Jun, 2020
Multiple vulnerabilities in Google Chrome
High Patched | 03 Jun, 2020
Privilege escalation in ABB Central Licensing System
Medium Not Patched | 03 Jun, 2020