Researchers at Microsoft have noticed an uptick in the use of web shells as an initial foothold on enterprise and public sector networks by a number of different attack groups in the last few months, including several APT teams.
The use of web shells by attackers is not a new technique, nor is it a complex one. Web shells typically are small pieces of code that an attacker uploads to a target web server, often using a misconfiguration or known vulnerability as the vector. Once the shell is on a server, the attacker can then use it to run commands or use the machine as a jumping-off point to get to other parts of the network. There are any number of publicly available web shells, but organized attack groups are known to write and use their own, as well.
In a recent investigation, members of the Microsoft Detection and Response Team discovered an attacker had installed web shells in several folders on a misconfigured server in a public sector organization. The attacker then was able to compromise domain administrator and service accounts and then move laterally inside the network. That was just the beginning, though, as the attacker then targeted the organization’s mail server.
“The attackers installed additional web shells on other systems, as well as a DLL backdoor on an Outlook Web Access (OWA) server. To persist on the server, the backdoor implant registered itself as a service or as an Exchange transport agent, which allowed it to access and intercept all incoming and outgoing emails, exposing sensitive information,” Microsoft researchers said in an analysis of the attack.
“The backdoor also performed additional discovery activities as well as downloaded other malware payloads. In addition, the attackers sent special emails that the DLL backdoor interpreted as commands.”
Microsoft’s Defender Advanced Threat Protection tool detected a significant increase in the number of web shells installed on machines beginning in July 2019 and continuing through September. The number of detections rose from fewer than 60,000 to more than 100,000 in that time. Several different attack groups have been seen using web shells as part of their methodology, including the Lazarus group and the Gallium group, which recently has targeted telecom operators.
Web shells often are the first step in a multi-part attack chain, giving the actor a landing spot and a base of operations for further movement inside a network.
“Once a web shell is successfully inserted into a web server, it can allow remote attackers to perform various tasks on the web server. Web shells can steal data, perpetrate watering hole attacks, and run other malicious commands for further compromise,” Microsoft’s researchers said.
“Aside from exploiting vulnerabilities in web applications or web servers, attackers take advantage of other weaknesses in internet-facing servers. These include the lack of the latest security updates, antivirus tools, network protection, proper security configuration, and informed security monitoring.”