NSA shares list of vulnerabilities commonly exploited to plant web shells

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
NSA and ASD issue joint advisory on detecting and dealing with web shells.

The US National Security Agency (NSA) and the Australian Signals Directorate (ASD) have published a security advisory this week warning companies to search web-facing and internal servers for common web shells.

Web shells are one of today's most popular forms of malware. The term "web shell" refers to a malicious program or script that's installed on a hacked server.

Web shells provide a visual interface that hackers can use to interact with the hacked server and its filesystem. Most web shells come with features to let hackers rename, copy, move, edit, or upload new files on a server. They can also be used to change file and directory permissions, or archive and download (steal) data from the server.
... ...
 
F

ForgottenSeer 85179

The two agencies have now published a joint 17-page report [PDF] that contains tools to help system administrators detect and deal with these types of threats. The advisory includes:

  • Scripts to compare a production website to a known-good image
  • Splunk queries for detecting anomalous URLs in web traffic
  • An Internet Information Services (IIS) log analysis tool
  • Network traffic signatures for common web shells
  • Instructions for identifying unexpected network flows
  • Instructions for identifying abnormal process invocations in Sysmon data
  • Instructions for identifying abnormal process invocations with Auditd
  • HIPS rules for blocking changes to web-accessible directories
  • A list of commonly exploited web application vulnerabilities
Some of the tools mentioned in the advisory are also available on the NSA's GitHub profile.
 
F

ForgottenSeer 85179

The U.S. National Security Agency (NSA) and the Australian Signals Directorate (ASD) have issued a joint report warning of threat actors increasingly exploiting vulnerable web servers to deploy web shells.

Web shells are malicious tools that hackers can deploy on a compromised internal or internet-exposed server to gain and maintain access, as well as remotely execute arbitrary commands, deliver additional malware payloads, and pivot to other devices within the network.

They can be uploaded onto vulnerable servers in a wide variety of forms, from programs specifically designed to provide web shell features and Perl, Ruby, Python, and Unix shell scripts to app plugins and PHP and ASP code snippets injected within a web app's pages.

"Malicious cyber actors have increasingly leveraged web shells to gain or maintain access on victim networks," the NSA said.

"This guidance will be useful for any network defenders responsible for maintaining web servers," the ASD added.

Web shell detection, prevention, and mitigation
The 17-page long security advisory published by the two intelligence government agencies contains a wide range of information for security teams who want to detect hidden web shells, to manage the response and recovery processes after detecting web shells, and to block malicious actors from deploying such tools on unpatched servers.
The NSA has a dedicated GitHub repository containing tools that companies can use to detect and block web shell threats, and to prevent web shell deployment including:

• Scripts for "Known-Good" file comparison
• Scripts, Splunk queries, YARA rules, network and Snort signatures to detect web shells
• Instructions on how to use Endpoint Detection and Response solutions (Microsoft Sysmon, Auditd) to detect web shells on Windows and Linux
• HIPS rules to allow McAfee's Host Based Security Systemto block file system changes

For more, see the link.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top