Web shells: How can we get rid of them and why law enforcement is not really the answer

07/14/2021
G DATA Blog

Microsoft has recently seen many attacks by hackers using so-called web shells. The number of web shell attacks between August 2020 and January 2021 doubled compared to the same period a year earlier. But what are they exactly and how can you fight them?

Microsoft recorded a total of 144,000 web shell attacks between August 2020 and January 2021. Web shells are very light programmes (scripts) that hackers install to either attack affected websites or web-facing services or prepare a future attack. A web shell allows hackers to execute standard commands on web servers that have been compromised. Web shells use code such as PHP, JSP or ASP for this purpose.

When the web shells are successfully installed, the hackers are able to execute the same commands as the administrators of the website can. They can also execute commands that steal data, install malicious code and provide system information that allows hackers to penetrate deeper into networks.

Difficult to discover

Web shells are also a permanent form of a 'backdoor' that continues to affect compromised servers. They are notoriously difficult to discover, partly because they have different ways of executing commands. Hackers also hide these commands in user agent strings and parameters that are exchanged between attackers and the attacked websites. Furthermore, web shells can be piled up in media files or other non-executable file formats.

To find out if web shells are present on a server there are some indicators which might help you: unknown connections in the logs of the server, abnormal high server usage, files with an abnormal timestamp and a lot of other indications. But even with these indicators it remains very difficult to discover them.

Tips for fighting web shell attacks

To combat attacks using web shells, there are a number of possible solutions. These include discovering these programs by identifying and resolving vulnerabilities and misconfigurations in web applications and web servers through the use of threat and vulnerability management.

In addition, attacks can be prevented by proper segmentation of the perimeter network, so that attacked web servers do not cause further damage in networks. Furthermore, companies must always install antivirus protection on the servers as this can prevent the malware from being installed on the machines. We have already been made aware of cases where only email protection was in place on these servers. Those of course offer no protection against malware on the actual server or against certain types of targeted attacks.

Furthermore, companies should audit and view the logs of their web servers more frequently. This will give them more awareness of which systems might be exposed to the Internet.

Law enforcement to the rescue?

During the Hafnium attack and recent other MS Exchange attacks among other things, web shells were used to install ransomware on the compromised servers and to steal data. Now suddenly the FBI took some action by itself. A couple of weeks ago, the American investigation service announced that it had removed web shells from hundreds of compromised servers via a court order. The removed web shells belonged to a group that took advantage of Exchange vulnerabilities at an early stage to gain access to the networks of US organizations and companies. These web shells each had a unique path and file name, making it potentially more difficult for the server owners to find and remove them.

In this initiative, spearheaded by the FBI, hundreds of Microsoft Exchange servers infected with malware in the United States were cleaned up. However, the fact that affected organizations were only made aware of this after the fact, has garnered mixed reactions from security experts and security companies.

"The FBI is breaking into American computers to remove malware - and is breaking the law to do so," said whistleblower Edward Snowden. Experts told SecurityWeek that the action sets a dangerous precedent of giving law enforcement agencies broad permission to break into computers suspected of being compromised. However, there are also experts who agree with the FBI's action, as it protects companies with possibly no good technical background.

Questionable helpfulness

A security researcher with the alias The Grugq states in a reaction that the infected Exchange servers that have been cleaned up will probably be compromised again. There are also legal questions about the method being used. "This warrant is a very powerful and potentially dangerous tool that gives the government permission to access the computers of innocent people to delete files without notice," says Kurt Opsahl of the US civil rights movement EFF told The Washington Post.
While there are a lot of doubts if this action was ethically reasonable in this case, the good news is that the FBI at least is informing all owners and administrators of the servers from which it has removed the web shells. If the contact details are public, the US investigation service sent an e-mail. If the contact details are not known, the FBI informed the provider of the owner concerned, who in turn alerted the infected and cleaned-up client. The question remains if an action like this would have been possible in the EU.
Of course although the web shells have been successfully removed, the underlying vulnerabilities in the Exchange server have not been patched. It is also possible that other malware is still present on the system. Companies should definitely double check their servers for malware. The fact that the FBI has removed one particular thing from  compromised system does not constitute a clean bill of health for the machine in question.

 

An ethical dilemma

The affair leaves one uncomfortable question lingering, which goes back to Mr Opsahl’s statement: If law enforcement is allowed to step in and make changes to a system, doesn’t this leave open a lot of potentially undesirable options? Could this be a precedent to issuing carte blanche to any and all investigators to just go and gather supposed evidence in a “no holds barred” way, even if no crime has been committed? Or worse, surreptitiously plant evidence there? This is a dangerous path to go down. There is lots of potential for irreparable damage, not only to the data that companies handle and that they were entrusted with, but also the trust of people in the authorities, which in some areas is not great to begin with.

This move forward could not have come at a worse time. Germany, always a stalwart defender of privacy, has just greenlit a new piece of national law that would force providers to assist law enforcement in planting surveillance software on a suspect’s devices, even if no crime may have been committed (yet). All opposition and well-founded criticism was shot down, drafts were submitted with only days to examine and provide feedback. This will no doubt have a signaling effect.


Eddy Willems
Security Evangelist