NSA and ASD issue a report warning of web shells deployments

Pierluigi Paganini April 24, 2020

A joint report released by the U.S. NSA and the Australian Signals Directorate (ASD) warns of attackers increasingly exploiting vulnerable web servers to deploy web shells.

A joint report published by the U.S. National Security Agency (NSA) and the Australian Signals Directorate (ASD) is warning of bad actors increasingly exploiting vulnerable web servers to deploy web shells.

The web shells allow attackers to maintain access to a compromised system and execute arbitrary commands. The compromised system could be used by threat actors as the entry point in a target network to gather intelligence and to attempt lateral movements.

“Malicious cyber actors have increasingly leveraged web shells to gain or maintain access on victim networks. Web shell malware is software deployed by a hacker, usually on a victim’s web server, that can execute arbitrary system commands, commonly sent over HTTPS. To harden and defend web servers against this threat, NSA and the Australian Signals Directorate have issued a dual-seal Cybersecurity Information Sheet (CSI).” reads the report.

The document provides valuable information on how to detect and prevent web shells from infecting the servers of the Department of Defense and other government agencies. The report could be useful for administrators that want to defend the servers in their networks from these threats.

“Due to the increasing use of web shells by adversaries to gain reliable access to compromised systems, the ASD and NSA have jointly produced a Cybersecurity Information Sheet (CIS) to help computer network defenders detect, prevent and mitigate the use of this type of malware.” states the ASD.

“This guidance will be useful for any network defenders responsible for maintaining web servers,”

The NSA has also released in its GitHub repository a collection of tools that can be used to prevent the deployment of the webshells and detect/block these threats.

“Cyber actors deploy web shells by exploiting web application vulnerabilities or uploading to otherwise compromised systems. Web shells can serve as persistent backdoors or as relay nodes to route attacker commands to other systems. Attackers frequently chain together web shells on multiple compromised systems to route traffic across networks, such as from internet-facing systems to internal networks” reads the document.

“Though the term “web shells” is predominantly associated with malware, it can also refer to web-based system management tools used legitimately by administrators. While not the focus of this guidance, these benign web shells may pose a danger to organizations as weaknesses in these tools can result in system compromise. Administrators should use system management software leveraging enterprise authentication methods, secure communication channels, and security hardening”

The report also includes a list of security issues commonly exploited by threat actors to deploy web shells, the vulnerabilities affect a broad range of products such as Microsoft SharePoint, Citrix appliances, Atlassian software, WordPress Social Warfare plugin, Adobe ColdFusion, Zoho ManageEngine, and the Progress Telerik UI app building toolkit.

Vulnerability IdentifierAffected ApplicationReported
CVE-2019-0604Microsoft SharePoint15 May 2019
CVE-2019-19781Citrix Gateway, Citrix Application Delivery Controller, and Citrix SD-WAN WANOP appliances22 Jan 2020
CVE-2019-3396Atlassian Confluence Server20 May 2019
CVE-2019-3398Atlassian Confluence Server and Atlassian Confluence Data Center26 Nov 2019
CVE-2019-9978WordPress “Social Warfare” Plugin22 Apr 2019
Progress Telerik UI7 Feb 2019
CVE-2019-11580Atlassian Crowd and Crowd Data Center15 July 2019
CVE-2020-10189Zoho ManageEngine Desktop Central6 Mar 2020
CVE-2019-8394Zoho ManageEngine ServiceDesk Plus18 Feb 2019
CVE-2020-0688Microsoft Exchange Server10 Mar 2020
CVE-2018-15961Adobe ColdFusion8 Nov 2018

Please give me your vote for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Web shells, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment