The volume of web shell attacks worldwide is on an upwards trend and gathered significant pace in 2020. This is according to a new report from Microsoft, based on data drawn down from its Microsoft 365 Defender antivirus suite.
“A web shell is typically a small piece of malicious code written in typical web development programming languages (e.g., ASP, PHP, JSP) that attackers implant on web servers to provide remote access and code execution to server functions,” the company explains.
From August 2020 to January 2021, there were an average of 140,000 web shell attacks per month, almost double the 77,000 monthly average from the year before.
The simplicity and effectiveness of web shell attacks have made them popular among criminals, Microsoft explains.
Through web shell attacks, criminals can run commands on servers, steal data or use the devices to launch two-stage attacks. They can also be used to steal login credentials, move laterally throughout the network, or even go for “hands-on keyboard activity.”
It all starts by exploiting security gaps in web applications found on internet-facing servers, which criminals identify using engines such as Shodan.io. Sometimes they move quickly to exploit a newly discovered vulnerability that hasn’t been patched, but in many cases criminals abuse vulnerabilities with known fixes that haven’t yet been applied.
In order to eliminate the threat, it is paramount that victims first find and patch up the persistence mechanism. “Restoring existing assets is the only feasible option for many. So, finding and removing all backdoors is a critical aspect of compromise recovery,” the company concluded.