Microsoft has warned of an increase of cyberattacks using web shells. Cybercriminals often use web shells to secure their presence on compromised networks.
Compared to last year, the average monthly number of malicious web shells detected on compromised servers has doubled.
Microsoft’s Defender Advanced Threat Protection (ATP) report last year, based on data collected from 46,000 individual devices, averaged 77,000 detected on compromised web shell servers per month.
The growing number of cyberattacks using web-based shells Microsoft explains by the fact that they are very easy to use and effective. Typically, a web shell is a small piece of malicious code written in typical web development programming languages (eg ASP, PHP, JSP). Cybercriminals embed them on web servers, thereby providing themselves with remote access to these servers for further code execution.
Web shells allow attackers to run commands on servers to steal data or use the server as a launching pad for other actions, such as lateral movement, deployment of additional payloads, or keyboard actions.
Attackers install web shells on servers by exploiting vulnerabilities in web applications and servers connected to the Internet. In search of vulnerable installations, they scan the Internet using publicly available tools such as shodan.io. Cybercriminals often exploit vulnerabilities already fixed by the vendor, which, unfortunately, have not been fixed by system administrators.
Once installed on the server, web shells are one of the most effective means of maintaining persistence in attacked corporate networks.
Let me remind you that I also reported that Microsoft accused Russia and North Korea of attacks on pharmaceutical companies.