Editor's note: The Need to Know is a new series from Talos, which focuses on cybersecurity terms, threats, tools and tactics that are discussed in our broader threat research. Think of this as a living encyclopedia of security terms and trends.
Cisco Talos Incident Response recently released our 2023 Q1 Incident Response Quarterly Trends report. One of the most noteworthy trends was the prolific use of web shells in cyberattacks.
In fact, not only were web shells the most observed threat overall, but they also appeared in almost a quarter of all incidents. That’s a marked increased from our previous trends report (the usage growing from 6% to 25%).
You may be wondering, why is that? Or maybe, what are web shells? And why do attackers use them in their campaigns? Let’s break it down:
What are web shells?
A web shell is a tool that bad actors may use to interact with and maintain access to a system, after an initial compromise. It takes the form of a web script (a piece of code) which is then uploaded to a vulnerable system. Afterwards, it can be used to interact with the underlying operating system.
The complexity of modern systems, especially websites that may include third-party software or libraries (that, in turn, make many outbound connections), means that malicious scripts that threat actors use for initial access, are easily missed.
After that initial access, malicious web scripts can leverage exploitation techniques, or are used to carry out further attacks.
How are web shells typically used in attacks?
Attackers will look for vulnerabilities within a system to find the best place (as far as they are concerned) to drop a web shell (or in many cases, multiple shells). Those vulnerabilities might be in a website content management system or an unpatched web server, for example.
The point of this is to establish a foothold to gain persistent access to a system. Imagine you’ve built a secret door that no one else knows about – you have the key, so you can return as often as you like.
Adversaries then have several options in front of them, depending on their ultimate motivation. We’ve seen them remotely execute arbitrary code or commands, as well as move laterally within the network, or deliver additional malicious payloads.
As noted in the Talos Q1 2023 Incident Response report, exploitation of public-facing applications was the top observed initial access technique, with the increased web shell activity likely contributing to this significant observation.
Notable example: China Chopper
China Chopper is a web shell that allows attackers to retain access to an infected system using a client side application, which contains all the information required to control the target.
In 2019, due to its significant use over the previous two years (including espionage campaigns), two Talos researchers took a closer look at the China Chopper web shell. They explored several cases studies where China Chopper was used.
How can you detect web shells?
A web shell will often leave sticky fingerprints at the scene. An intrusion prevention system such as Snort can help detect if an attacker has used a tool like a web shell to gain remote access.
Cisco Secure Network Analytics can help uncover rogue connections, as can Cisco Umbrella by blocking malicious connections at the DNS level.
Organizations should deploy endpoint detection and response tools such as Cisco Secure Endpoint, which gives users the ability to track process invocation and inspect processes.
The increase in web shell engagements highlights the need for more awareness and protections in helping to prevent web shells. Talos provides the following recommendations:
· Routinely update and patch all software and operating systems to identify and remediate vulnerabilities or misconfigurations in web applications and web servers.
· In addition to patching, perform general system hardening, including removing services or protocols where they are unnecessary and being aware of all systems exposed directly to the internet.
· Disable unnecessary php functions in your “php.ini”, such as eval(), exec(), peopen(), proc_open() and passthru().
· Frequently audit and review logs from web servers for unusual or anomalous activity.
Read the full 2023 Q1 Talos Incident Response Quarterly Trends report