“Administrators should not assume that a modification is authentic simply because it appears to have occurred during a maintenance period.”
As web shell attacks continue to be a persistent threat the U.S. National Security Agency (NSA) and the Australian Signals Directorate (ASD) have released a detailed advisory and a host of detection tools on GitHub.
Web shells are tools that hackers deploy into compromised public-facing or internal server that give them significant access and allow them to remotely execute arbitrary commands. They are a powerful tool in a hacker’s arsenal, one that can deploy an array of payloads or even move between device within networks.
The NSA warned that: “Attackers often create web shells by adding or modifying a file in an existing web application. Web shells provide attackers with persistent access to a compromised network using communication channels disguised to blend in with legitimate traffic. Web shell malware is a long-standing, pervasive threat that continues to evade many security tools”
A common misconception they are trying to dispel is that hackers only target internet-facing systems with web shell attacks, but the truth is that attackers are regularly using web shells to compromise internal content management systems or network device management interfaces.
In fact these types of internal systems can be even more susceptible to attack as they may be the last system to be patched.
In order to help IT teams mitigate these types of attacks the NSA and ASD have released a seventeen page advisory with mitigating actions that can help detect and prevent web shell attacks.
NSA Web Shell Advisory
Web shell attacks are tricky to detect at first as they designed to appear as normal web files, and hackers obfuscate them further by employing encryption and encoding techniques.
One of the best ways to detect web shell malware is to have a verified version of all web applications in use. These can then be then used to authenticate production applications and can be crucial in routing out any discrepancies.
However the advisory warns that while using this mitigation approach administrators should be wary of trusting times stamps as, “some attackers use a technique known as ‘timestomping’ to alter created and modified times in order to add legitimacy to web shell files.
See also: NSA’s Ghidra Open Sourced: Here’s the Cheat Sheet
They added: “Administrators should not assume that a modification is authentic simply because it appears to have occurred during a maintenance period.”
The joint advisory warns that web shells could be simply part of a larger attack and that organisations need to quickly figure out how the attackers gained access to the network.
“Packet capture (PCAP) and network flow data can help to determine if the web shell was being used to pivot within the network, and to where. If such a pivot is cleaned up without discovering the full extent of the intrusion and evicting the attacker, that access may be regained through other channels either immediately or at a later time,” they warn.
To further help security teams the NSA has released a dedicated GitHub repository that contains an array of tools that can be used to block and detect web shell attacks.