What’s old is new again as Web shell malware becomes the latest attack vector in widespread Exchange exploits. Here’s a primer on what Web shells are and what they do.
Malware known as China Chopper is behind the recent headline-making attacks against vulnerable Microsoft Exchange Servers worldwide. China Copper is a type of malicious software known as a Web shell, and it has played a consistent role in the attack patterns analysts have observed over the past few weeks.
In these attacks, zero-day vulnerabilities are being exploited by Chinese hacking group Hafnium; many of the servers in their crosshairs have received malicious Web shell payloads. These Web shells can later be used as a backdoor, and hackers can access Exchange servers even after they’ve been patched.
“Attackers love to set up and utilize Web shells they can access later because Web shells give them the maneuverability to develop their attacks as they go, instead of implanting a specific item of malware up front that isn’t as flexible,” says Chester Wisniewski, a principal research scientist at Sophos. “Web shells enable a remote attacker to download any file the Web server has access to, implant new ones, and run code as desired.”
While neither new nor novel, Web shells are making an impact with a surge of Exchange attacks. Consider this article your Web shell primer, accompanied by best practices to guard against them.
First of All, What Is a Web Shell?
A Web shell is a malicious script file installed on a Web server that provides read, write, and/or execution capabilities to the attacker, explains Matthieu Faou, malware researcher at ESET.
“They can be developed in multiple languages, such as PHP, ASP, or .NET,” he says.
And that means they can be configured to receive instructions, just like a legitimate program, Wisniewski adds.
“Computer languages and operating systems always contain a text command execution environment where users can ‘manually’ instruct the computer on what to do, referred to as a shell,” he says. “Windows users may be familiar with the ‘Command Prompt’ or DOS if they’re old enough. MacOS and Linux users typically use a shell called ‘bash.’ A Web shell is simply a program that runs on the Web server and provides equivalent remote command access through a browser.”
What Is a Typical Attack Scenario That Uses a Web Shell?
Any attack that starts with the compromise of a Web server is a typical Web shell attack scenario, Faou says.
“It can be a vulnerability in a Web application that allows the attacker to upload a script file on the server,” he says. “If this script file is dropped in a directory accessible for the Internet, then the attacker can use the Web shell to execute additional commands.”
How Do Attackers Get Web Shells in an Environment?
Most often Web shells are “implanted” through a vulnerability in a Web application, says Wisniewski.
“The vast majority of Web shells I have uncovered have been installed on out-of-date servers running CMS software like WordPress and Drupal,” he explains.
How Are Web Shells Used in the Exchange Attacks We Are Now Hearing About?
In the recent attacks against Microsoft Exchange servers, attackers use a remote code execution vulnerability in Microsoft Exchange’s Outlook Web Access to install Web shells. The vuln allows them to drop a Web shell on the mail server.
“Then they can browse to the URL where the Web shell is located to execute commands or drop additional malicious files,” Faou says.
Web shells can be used to deliver and execute malicious content; rewrite script, protocols, or files; or generate fake news, malware content, or malicious links. It’s an easy way for crooks who can write files to a Web server, but not run them directly, to launch them indirectly, says Wisniewski.
“If an attacker can infiltrate a file with a scriptable extension into the right place on a Web server, then they can revisit it later and force the file to execute on the server simply by referencing the URL that corresponds to the infiltrated file,” he says. “The browser essentially acts as a sort of ‘command console’ that triggers the server to execute the script code.”
Is There Anything New About the Web Shells in the Exchange Attacks?
The researchers we spoke to say there is really nothing unusual about the Web shells being used in these attacks. It’s an older program that has surfaced again
“A Web shell is a Web shell,” says Wisniewski. “The problem is now other criminals know about them and are exploiting them as well. If your adversary was truly China trying to attack your organization, it may be difficult to find the signal in the noise.”
How Can Defenders Guard Against Web Shells?
Keeping defenses high against Web shells involves the usual hygiene recommendations: Keep Web applications up to date, says Faou. Pen-test custom Web apps regularly to ensure they don’t have flaws that can be exploited. Monitor Web servers and enable alerts for when a new script is dropped on disk by the Web server (for example, Apache or Microsoft IIS).
“A new script dropped by the Web server is very suspicious and likely to be a Web shell,” says Faou.
In this particular Exchange attack scenario, Wisniewski advises patching all on-premise Microsoft Exchanged servers in the environment and continuously monitor networks for indicators of compromises.
“Aside from this vulnerability, it is important to always keep your applications patched, especially CMSes,” he says.
What’s Next for Web Shells?
Faou says he doesn’t expect much to change. Web shells have been the go-to method for attackers to exploit vulnerable Web servers for years. Based on the success criminals are having lately by using them, they will continue to be a popular technique.
“The recent Exchange campaign is just a one-time event,” he says. “There are vulnerabilities discovered in other Web applications very regularly.”