The U.S. National Security Agency (NSA) and the Australian Signals Directorate (ASD) have for the first time released a joint security advisory warning of cyber actors increasingly deploying web shells to gain persistent access to compromised networks.
“Attackers often create web shells by adding or modifying a file in an existing web application. Web shells provide attackers with persistent access to a compromised network using communication channels disguised to blend in with legitimate traffic. Web shell malware is a long-standing, pervasive threat that continues to evade many security tools,” the NSA said.
In the 17-page long report the two intelligence government agencies provide a wide range of information on how to detect hidden web-shells, prevent and manage the response to the intrusion, etc.
The report also includes a list of web application vulnerabilities that are commonly exploited to install malware, including flaws in popular applications like Microsoft SharePoint, Microsoft Exchange, Citrix, Atlassian Confluence, WordPress, the Zoho ManageEngine, and Adobe ColdFusion.
This list was not intended to be exhaustive, but rather supposed to provide insight on some frequently exploited cases, the agencies explained.
"Organizations are encouraged to patch both internet-facing and internal web applications rapidly to counter the risks from 'n-day' vulnerabilities," the NSA and the ASD added.
Additionally, the security advisory contain tools to help system administrators detect and resist these types of threats, including:
Scripts to compare a production website to a known-good image
Splunk queries for detecting anomalous URLs in web traffic
An Internet Information Services (IIS) log analysis tool
Network traffic signatures for common web shells
Instructions for identifying unexpected network flows
Instructions for identifying abnormal process invocations in Sysmon data
Instructions for identifying abnormal process invocations with Auditd
HIPS rules for blocking changes to web-accessible directories
Tools and signatures to help defend networks against web shell malware are also available in the NSA’s dedicated GitHub repository.