NSA and ASD issue a report warning of web shells deployments

A joint report released by the U.S. NSA and the Australian Signals Directorate (ASD) warns of attackers increasingly exploiting vulnerable web servers to deploy web shells.

A joint report published by the U.S. National Security Agency (NSA) and the Australian Signals Directorate (ASD) is warning of bad actors increasingly exploiting vulnerable web servers to deploy web shells.

The web shells allow attackers to maintain access to a compromised system and execute arbitrary commands. The compromised system could be used by threat actors as the entry point in a target network to gather intelligence and to attempt lateral movements.

“Malicious cyber actors have increasingly leveraged web shells to gain or maintain access on victim networks. Web shell malware is software deployed by a hacker, usually on a victim’s web server, that can execute arbitrary system commands, commonly sent over HTTPS. To harden and defend web servers against this threat, NSA and the Australian Signals Directorate have issued a dual-seal Cybersecurity Information Sheet (CSI).” reads the report.

The document provides valuable information on how to detect and prevent web shells from infecting the servers of the Department of Defense and other government agencies. The report could be useful for administrators that want to defend the servers in their networks from these threats.

“Due to the increasing use of web shells by adversaries to gain reliable access to compromised systems, the ASD and NSA have jointly produced a Cybersecurity Information Sheet (CIS) to help computer network defenders detect, prevent and mitigate the use of this type of malware.” states the ASD.

“This guidance will be useful for any network defenders responsible for maintaining web servers,”

The NSA has also released in its GitHub repository a collection of tools that can be used to prevent the deployment of the webshells and detect/block these threats.

“Cyber actors deploy web shells by exploiting web application vulnerabilities or uploading to otherwise compromised systems. Web shells can serve as persistent backdoors or as relay nodes to route attacker commands to other systems. Attackers frequently chain together web shells on multiple compromised systems to route traffic across networks, such as from internet-facing systems to internal networks” reads the document.

“Though the term “web shells” is predominantly associated with malware, it can also refer to web-based system management tools used legitimately by administrators. While not the focus of this guidance, these benign web shells may pose a danger to organizations as weaknesses in these tools can result in system compromise. Administrators should use system management software leveraging enterprise authentication methods, secure communication channels, and security hardening”

The report also includes a list of security issues commonly exploited by threat actors to deploy web shells, the vulnerabilities affect a broad range of products such as Microsoft SharePoint, Citrix appliances, Atlassian software, WordPress Social Warfare plugin, Adobe ColdFusion, Zoho ManageEngine, and the Progress Telerik UI app building toolkit.

Vulnerability Identifier	Affected Application	Reported
CVE-2019-0604	Microsoft SharePoint	15 May 2019
CVE-2019-19781	Citrix Gateway, Citrix Application Delivery Controller, and Citrix SD-WAN WANOP appliances	22 Jan 2020
CVE-2019-3396	Atlassian Confluence Server	20 May 2019
CVE-2019-3398	Atlassian Confluence Server and Atlassian Confluence Data Center	26 Nov 2019
CVE-2019-9978	WordPress “Social Warfare” Plugin	22 Apr 2019
CVE-2019-18935 CVE-2017-11317 CVE-2017-11357	Progress Telerik UI	7 Feb 2019
CVE-2019-11580	Atlassian Crowd and Crowd Data Center	15 July 2019
CVE-2020-10189	Zoho ManageEngine Desktop Central	6 Mar 2020
CVE-2019-8394	Zoho ManageEngine ServiceDesk Plus	18 Feb 2019
CVE-2020-0688	Microsoft Exchange Server	10 Mar 2020
CVE-2018-15961	Adobe ColdFusion	8 Nov 2018

Please give me your vote for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS
https://docs.google.com/forms/d/e/1FAIpQLSe8AkYMfAAwJ4JZzYRm8GfsJCDON8q83C9_wu5u10sNAt_CcA/viewform

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Web shells, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]