Web Shells Gain Sophistication for Stealth, Persistence

Web shells, a common type of post-exploitation tool that provides easy-to-use interface through which to issue commands to a compromised server, have become increasingly popular as attackers become more cloud-aware, experts say. A Web shell known as WSO-NG was recently seen disguising its login site as a 404 "Page Not Found" splash page, gathering information about potential targets through legitimate services such as VirusTotal, and scanning for metadata related to Amazon Web Services as a pathway to stealing developers' credentials, internet management firm Akamai stated in an analysis posted on Nov. 22. Other Web shells have been deployed by the Cl0p and C3RB3R ransomware gangs, the latter which exploited servers running Atlassian Confluence enterprise server in a mass exploitation campaign earlier this month. Web shells have become an easy-to-use way of issuing commands to compromised servers as attackers increasingly target cloud resources, says Maxim Zavodchik, threat research director at Akamai. "Today, the attack surface that Web applications - not just APIs - allows is really large," he says. "So when you're exploiting a Web vulnerability, the easiest next step will be to deploy a Web platform - an implant, something that is not a binary, but talks the same language as the Web server." Akamai focused on WSO-NG following its use in a massive campaign targeting Magento 2 e-commerce shops, but other groups use different Web shells. The Cl0p ransomware group, for example, dropped the DEWMODE and LEMURLOOT Web shells, respectively, after exploiting vulnerabilities in Kiteworks Accellion FTA in 2020 and Progress Software's MOVEit managed file transfer service in May, according to a June 2023 analysis by networking firm F5. In 2021, Microsoft noted that the use of Web shells had grown dramatically, with the company seeing nearly double the encounters of Web shells on monitored servers compared to the prior year, the company stated in an analysis. "Web shells allow attackers to run commands on servers to steal data or use the server as [a] launch pad for other activities like credential theft, lateral movement, deployment of additional payloads, or hands-on-keyboard activity, while allowing attackers to persist in an affected organization," Microsoft stated in its analysis. Stealthy and Anonymous One reason attackers have taken to Web shells is because of their ability to stay under the radar. Web shells are hard to detect with static analysis techniques, because the files and code are so easy to modify. Web shell traffic - because it is just HTTP or HTTPS - blends right in, making it hard to detect with traffic analysis, says Akamai's Zavodchik. "They communicate on the same ports, and it's just another page of the website," he says. "It's not like the classic malware that will open the connection back from the server to the attacker. The attacker just browses the website. There's no malicious connection, so no anomalous connections go from the server to the attacker." Because there are so many off-the-shelf Web shells, attackers can use them without tipping off defenders as to their identity. Kali Linux is open source; it's a Linux distribution focused on providing easy-to-use tools for red teams and offensive operations, and it provides 14 different Web shells, giving penetration testers the ability to upload and download files, execute command, and creating and querying databases and archives. "When APT threat actors ... move from specially tailored binary implants to Web shells - either their own Web shells or some generic Web shells - no one could be attributing those factors to the specific groups," Zavodchik says. Defend With Suspicious Vigilance The best defenses are monitoring Web traffic for suspicious patterns, anomalous URL parameters, and unknown URLs and IP addresses. Verifying the integrity of the servers is also a key defensive tactic, Malcolm Heath, a senior threat researcher at F5 Networks, wrote in a June post on Web shells. "Directory content monitoring is also a good approach, and some programs exist which can detect changes to monitored directories immediately and roll back changes automatically," the company stated. "Additionally, some defensive tools allow for the detection of anomalous process creation." Other methods include focusing on detecting the initial access and the deployment of a Web shell. Web application firewalls, with their ability to look at traffic flows, are also solid defensive measures.

This Cyber News was published on www.darkreading.com. Publication date: Thu, 30 Nov 2023 20:25:02 +0000


Cyber News related to Web Shells Gain Sophistication for Stealth, Persistence

Web Shells Gain Sophistication for Stealth, Persistence - Web shells, a common type of post-exploitation tool that provides easy-to-use interface through which to issue commands to a compromised server, have become increasingly popular as attackers become more cloud-aware, experts say. A Web shell known as ...
10 months ago Darkreading.com
It's not cricket! Sri Lanka and Bangladesh co-host phishing attack - Sri Lanka and Bangladesh have a successful history of co-hosting the Cricket World Cup, but today the two countries' governments have found themselves on a sticky wicket by co-hosting a phishing attack that targets UK banking customers. Victims lured ...
10 months ago Netcraft.com
SIEM agent being used in SilentCryptoMiner attacks | Securelist - The most interesting action in this attack was the implementation of unusual techniques like using an SIEM agent as backdoor, adding the malicious payload to a legitimate digital signature, and hiding directories containing malicious files. The ...
1 week ago Securelist.com
Russian Sandworm Group Using Novel Backdoor to Target Ukraine - Russian nation-state group Sandworm is believed to be utilizing a novel backdoor to target organizations in Ukraine and other Eastern and Central European countries, according to WithSecure researchers. The previously unreported backdoor, dubbed ...
5 months ago Infosecurity-magazine.com
Cyber Insights 2023: Criminal Gangs - The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs. Despite some geopolitical overlaps with state attackers, the majority of ...
1 year ago Securityweek.com
Reverse Shell for Linux/Unix Systems - Hackers exploit reverse TCP shells on Linux or Unix systems to gain unauthorized remote access. Cybersecurity researchers at PwC recently discovered a reverse TCP shell for Linux or Unix systems with C2 capabilities while analyzing one of the malware ...
10 months ago Cybersecuritynews.com
Cookies Exploit Allows Persistent Access After Password Reset - A Critical Google Cookies exploit involves manipulating or stealing user cookies, which store authentication information, to gain unauthorized access to accounts. A developer, PRISMA, discovered a major Google cookie exploit in Oct 2023 that allows ...
9 months ago Gbhackers.com
Volt Typhoon-Linked SOHO Botnet Infects Multiple US Gov't Entities - Researchers have discovered an Internet of Things botnet linked with attacks against multiple US government and communications organizations. It comes built with a series of stealth mechanisms and the ability to spread further into local area ...
9 months ago Darkreading.com
Threat actors misuse OAuth applications to automate financially driven attacks - Threat actors are misusing OAuth applications as an automation tool in financially motivated attacks. Threat actors compromise user accounts to create, modify, and grant high privileges to OAuth applications that they can misuse to hide malicious ...
9 months ago Microsoft.com
Hackers Modifying Registry Keys and Establishing Persistence - Persistence is one of the key things for threat actors to maintain their access to compromised systems and establish connections whenever they require. One of the key methods used to maintain persistence is the use of scheduled tasks. This enables ...
9 months ago Cybersecuritynews.com
Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation - Successful exploitation could result in authentication bypass and command injection, leading to further downstream compromise of a victim network. Mandiant has identified zero-day exploitation of these vulnerabilities in the wild beginning as early ...
9 months ago Mandiant.com
Ukraine Military Targeted With Russian APT PowerShell Attack - A sophisticated Russian advanced persistent threat has launched a targeted PowerShell attack campaign against the Ukrainian military. The attack is most likely perpetrated by malicious threat actors related to Shuckworm, a group with a history of ...
8 months ago Darkreading.com
UK, ROK sound alarm over North Korean supply chain attacks The Register - The national cybersecurity organizations of the UK and the Republic of Korea have issued a joint advisory warning of an increased volume and sophistication of North Korean software supply chain attacks. "In an increasingly digital and interconnected ...
10 months ago Theregister.com
Ai, Cybersecurity Awareness, And Communication - We're only beginning to see the scope of these attacks and the approaches attackers are developing because of this technology. The rapid advancements in AI technology have opened up new avenues for attackers to exploit vulnerabilities and launch ...
8 months ago Cyberdefensemagazine.com
The Mask: A Resilient Espionage Group Returns After a Decade - An APT group that has been missing for over a decade has reappeared in a cyber-espionage campaign aimed at organizations in Latin America and Central Africa. The Mask's history Origins: The Mask first appeared in 2007, operating with stealth and ...
5 months ago Cysecurity.news
Hackers Gaining Unauthorized Access to Windows Devices Through Silver and BYOVD Exploits - Last summer, cybercriminals began using Sliver as an alternative to Cobalt Strike, using it for monitoring networks, executing commands, loading reflective DLLs, spawning sessions, and manipulating processes. Recently, attacks have been observed ...
1 year ago Heimdalsecurity.com
Five Eyes Agencies Put Focus on Active Directory Threats - Security Boulevard - Cybersecurity agencies in the United States and other countries are urging organizations to harden the security around Microsoft’s Active Director (AD) solution, which has become a prime target of hackers looking to compromise enterprise networks. ...
1 week ago Securityboulevard.com
The Top 6 Cybersecurity Threats Businesses Must Tackle in 2024 - Through the rise of Artificial Intelligence, increased cyberwarfare and new emerging technologies, the security landscape has evolved significantly, with new threats emerging and existing ones growing in sophistication. Cybersecurity in 2024 is more ...
9 months ago Cybersecurity-insiders.com
Zcaler ThreatLabz 2024 VPN Risk Report - The growing sophistication of cyberthreats alongside the expansion of remote workforces and cloud technologies have exposed significant vulnerabilities in VPNs. Due to their legacy architecture, VPNs grant overly broad network access once credentials ...
4 months ago Cybersecurity-insiders.com
Chinese APT 'Earth Krahang' Compromises 48 Gov't Orgs on 5 Continents - A previously unidentified Chinese espionage group has managed to breach at least 70 organizations across 23 countries, including 48 in the government space, despite using rather standard-fare tactics, techniques, and procedures. Fitting such a ...
6 months ago Darkreading.com
Apple Faces New Security Dilemma as Infostealers Execute Stealthy Attacks - There is an increase in the sophistication of info thieves targeting macOS, allowing them to evade Apple's malware protection built into the operating system as these attackers have become better at cracking static signature-detection engines like ...
8 months ago Cysecurity.news
CVE-2018-1113 - setup before version 2.11.4-1.fc28 in Fedora and Red Hat Enterprise Linux added /sbin/nologin and /usr/sbin/nologin to /etc/shells. This violates security assumptions made by pam_shells and some daemons which allow access based on a user's shell ...
5 years ago
Hamas-Linked APT Wields New SysJoker Backdoor Against Israel - Attackers linked to the Palestinian militant group Hamas are using a revamped version of the SysJoker multi-platform backdoor to attack targets in Israel as the current conflict between the two continues despite a current pause in the fighting. An ...
10 months ago Darkreading.com
NKAbuse Malware Attacking Linux Desktops & Corn Persistence - Threat actors target Linux systems due to their prevalence in server environments, and cron jobs offer a discreet means of maintaining unauthorized access over an extended period. Infiltrating via implant upload, it establishes persistence through a ...
9 months ago Gbhackers.com
Ivanti Connect Secure zero-days now under mass exploitation - Two zero-day vulnerabilities affecting Ivanti's Connect Secure VPN and Policy Secure network access control appliances are now under mass exploitation. As discovered by threat intelligence company Volexity, which also first spotted the zero-days ...
8 months ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)