Organizations’ web presences are essential to their ability to do business. As a result, they are the target of a number of different attacks. One growing, but often overlooked threat to website security is the web shell. A web shell is a program that enables an attacker to run malicious code on the underlying web server. Web shells have played a major role in several data breaches, including Equifax, and it is vital that an organization has defenses in place to detect and block them.
What is a Web Shell?
A website consists of a variety of different types of content. These include HTML (which defines the structure of the website), CSS (which provides stylistic information), and scripts (which enable animation and interactivity).
A user interacts with a set of files that are stored on a web server and provided upon request. However, these files are on a computer located on an organization’s network. A web shell is designed to let an attacker move from interacting with the website to running code on the computer hosting it. This is accomplished through the use of scripts designed to run a certain command in the underlying shell or command prompt of the web server. Many programming languages have an eval or exec function to do this. A web shell is designed to make it easy for an attacker to pass commands to the shell as web requests and receive the results of those commands in web responses.
Beyond these basics, web shells can have different levels of sophistication. Some are designed to have additional capabilities, like file uploads. Others may be tied into different programs, like ones that link into Microsoft Exchange and communicate with the attacker via special emails. Regardless of the details, these programs can be used for a wide range of malicious purposes on an infected web server.
How Web Shells Get on Websites
A web shell is a serious security risk to an organization since it allows an attacker access to the organization’s web server. This access could be used to steal sensitive information or as a stepping stone to gain internal access to the organization.
Despite this, some web shells are installed on web servers by legitimate administrators. These administrators do not want to enable SSH to access their web servers or are limited in where they can access the web server via SSH, so they set up a hidden web shell to allow them to perform remote administration anyway. However, these web shells can be detected and exploited by cybercriminals.
Other web shells are installed on legitimate websites by cybercriminals. The only requirement for a web shell to be installed is that the attacker is able to add malicious code to a web server.
An attacker can use a number of different vectors to accomplish this, and many web shells are extremely small, making them harder to detect. For example, exploitation of a remote code execution (RCE) vulnerability can enable injection of the necessary malicious code. Alternatively, the attacker could perform a spear phishing attack against an administrator and use their credentials to add the web shell. Finally, some cybercriminals will target the supply chain, embedding malicious functionality, like a web shell, into the platforms and extensions commonly used by websites.
Malicious Web Shells Are Becoming More Common
Web shells are becoming a more common component in cybercriminals’ attacks. A recent report published by Microsoft stated that they are detecting an average of 77,000 web shells on 46,000 distinct machines each month. The impacts of these attacks can be significant. For example, the Equifax hack is one of the most notorious data breaches in history as it affected a large percentage of the United States’ population and exposed sensitive financial data entrusted to the company.
The attack against Equifax consisted of multiple stages. The attackers first exploited an unpatched vulnerability in Apache Struts, a commonly used web server. This vulnerability enabled the attackers to upload a web shell to the company’s web server, allowing them to run their code on the underlying system. From there, they were able to expand their reach to internal systems and steal the sensitive financial data of 148 million Equifax customers.
Protecting Against Web Shell Attacks
Web shell attacks are a significant threat to an organization’s website security. Not only do they pose a threat to the internal organization, but they also enable an attacker to make changes to the files that make up the website. This can be used to steal sensitive data or embed additional malicious content within the organization’s legitimate web pages.
Many of these web shells are very small, just a few lines of code, making them difficult to detect with manual analysis. For this reason, it is a good idea to have file integrity monitoring in place to detect unauthorized changes to files that could indicate injection of a web shell. Web shells are also often added to websites by exploitation of common web application vulnerabilities. Remote code execution bugs can enable an attacker to place the malicious code on a vulnerable web server. Deploying a web application firewall (WAF) can help to detect and block attempted exploitation of these vulnerabilities.
A malicious web shell on the company web server can cost an organization millions, like the Equifax hack. Deploying the appropriate defenses is necessary to secure an organization’s web presence and its bottom line.
This is an article provided by our partners’ network. It does not reflect the views or opinions of our editorial team and management.
Contributed content
HedgeThink.com is the fund industry’s leading news, research and analysis source for individual and institutional accredited investors and professionals