The U.S. National Security Agency (NSA) and the Australian Signals Directorate (ASD) have issued a joint report warning of threat actors increasingly exploiting vulnerable web servers to deploy web shells.
Web shells are malicious tools that hackers can deploy on a compromised internal or internet-exposed server to gain and maintain access, as well as remotely execute arbitrary commands, deliver additional malware payloads, and pivot to other devices within the network.
They can be uploaded onto vulnerable servers in a wide variety of forms, from programs specifically designed to provide web shell features and Perl, Ruby, Python, and Unix shell scripts to app plugins and PHP and ASP code snippets injected within a web app's pages.
"Malicious cyber actors have increasingly leveraged web shells to gain or maintain access on victim networks," the NSA
said.
"This guidance will be useful for any network defenders responsible for maintaining web servers," the ASD
added.
Web shell detection, prevention, and mitigation
The 17-page long security advisory published by the two intelligence government agencies contains a wide range of information for security teams who want to detect hidden web shells, to manage the response and recovery processes after detecting web shells, and to block malicious actors from deploying such tools on unpatched servers.