The number of attacks utilizing web shells continues to increase steadily, with an average of 140,000 such threats being detected on compromised servers every month, Microsoft warns. According to the tech giant, the number of web shell attacks almost doubled since the previous year.
A web shell is a small tool that hackers plant on target web servers to gain remote access to server functions. It also allows attackers to run commands on servers to steal data, or use the compromised server as launch pad for other activities, such as credential theft, lateral movement within the network, deployment of additional malicious payloads, or hands-on-keyboard activity.
Typically, attackers search the internet for vulnerable servers and install web shells by exploiting security holes like flaws in web applications or in internet-facing servers.
“Web shells can be built using any of several languages that are popular with web applications. Within each language, there are several means of executing arbitrary commands and there are multiple means for arbitrary attacker input. Attackers can also hide instructions in the user agent string or any of the parameters that get passed during a web server/client exchange,” Microsoft said.
The Windows maker also shared some recommendations on how to harden servers against web shell attacks. Here they are:
Identify and remediate vulnerabilities or misconfigurations in web applications and web servers. Use Threat and Vulnerability Management to discover and fix these weaknesses. Deploy the latest security updates as soon as they become available.
Implement proper segmentation of your perimeter network, such that a compromised web server does not lead to the compromise of the enterprise network.
Enable antivirus protection on web servers. Turn on cloud-delivered protection to get the latest defenses against new and emerging threats. Users should only be able to upload files in directories that can be scanned by antivirus and configured to not allow server-side scripting or execution.
Audit and review logs fr om web servers frequently. Be aware of all systems you expose directly to the internet.
Utilize the Windows Defender Firewall, intrusion prevention devices, and your network firewall to prevent command-and-control server communication among endpoints whenever possible, limiting lateral movement, as well as other attack activities.
Check your perimeter firewall and proxy to restrict unnecessary access to services, including access to services through non-standard ports.
Practice good credential hygiene. Lim it the use of accounts with local or domain admin level privileges.