Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Microsoft warns of the rise of web shell attacks

Researchers from Microsoft are warning that the number of monthly web shell attacks has doubled since last year. Microsoft reported that the number of monthly web shell attacks has almost doubled since last year, its experts observed an average of 140,000 of these software installs on servers on a monthly basis, while in 2020 they […]

Researchers from Microsoft are warning that the number of monthly web shell attacks has doubled since last year.

Microsoft reported that the number of monthly web shell attacks has almost doubled since last year, its experts observed an average of 140,000 of these software installs on servers on a monthly basis, while in 2020 they were 77,000.

“One year ago, we reported the steady increase in the use of web shells in attacks worldwide. The latest Microsoft 365 Defender data shows that this trend not only continued, it accelerated: every month from August 2020 to January 2021, we registered an average of 140,000 encounters of these threats on servers, almost double the 77,000 monthly average we saw last year.” reads the report published by Microsoft.

A web shell is a code, often written in typical web development programming languages (e.g., ASP, PHP, JSP), that attackers implant on web servers to gain remote access and code execution.

The surge in the number of attacks involving web shells is attributed to their simplicity and efficiency.

The latest Microsoft 365 Defender data shows a growing trend since August 2020.

web shell attacks encounters-trend

Microsoft also provided some tips on how to harden servers against attacks attempting to download and install a web shell.

The experts highlighted challenges in detecting web shell attacks, these malicious codes can be developed using several languages. They are difficult to detect due to their simplicity, threat actors often used webshells for persistence or for early stages of exploitation.

Web shells can be hidden web shells in non-executable file formats, such as media files.

“Web servers configured to execute server-side code create additional challenges for detecting web shells, because on a web server, a media file is scanned for server-side execution instructions. Attackers can hide web shell scripts within a photo and upload it to a web server.” continues the report. “When this file is loaded and analyzed on a workstation, the photo is harmless. But when a web browser asks a server for this file, malicious code executes server side.”

In April 2020, the U.S. NSA and the Australian Signals Directorate (ASD) issued a report to warn of attackers increasingly exploiting vulnerable web servers to deploy web shells.

The document provides valuable information on how to detect and prevent web shells from infecting the servers of the Department of Defense and other government agencies. The report could be useful for administrators that want to defend the servers in their networks from these threats.

The NSA has also released in its GitHub repository a collection of tools that can be used to prevent the deployment of the webshells and detect/block these threats.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, web shell)

[adrotate banner=”5″]

[adrotate banner=”13″]