Microsoft says that the number of malicious shell casings installed on web servers has almost doubled since the last count, last year in August 2020.
In a blog post yesterday, the Redmond company said that it discovered approximately 1
The number has increased as a result of a shift in how hackers view shellfish. Once considered a script-kiddies tool that destroys websites and the go-to tool for DDoS botnet operators, shellfish are now part of the arsenal of ransomware gangs and nation-state hackers, and are important tools used in complex intrusions.
Two of the reasons why they have become so popular are their versatility and the access they provide to hacked servers.
Mussels, which are nothing more than simple scripts, can be written in almost any programming language running on a web server – such as PHP, ASP, JSP or JS – and such, can be easily hidden inside the site’s source code. This makes detecting them a difficult operation, which often involves a manual analysis by a human operator.
In addition, shell scams provide an easy way to execute commands on a hacked server via a graphical or command line interface, giving attackers an easy way to escalate attacks.
Mussels are becoming more prevalent as more servers are put online
Since the company’s IT space has moved towards hybrid cloud environments, the number of companies running web servers has increased in recent years, and in many cases audience-oriented servers often have a direct connection to internal networks.
As Microsoft statistics have shown, it seems that attackers have discovered this change in the design of their corporate IT network, and have intensified their attacks on public systems.
Mussels now play a crucial role in their attacks, providing a way to control the hacked server and then orchestrate a pivot to the target’s internal network.
This type of attack is exactly what the US National Security Agency warned about in April 2020 when it published a list of 25 vulnerabilities that were often used to install network shells.
The NSA report warned not only about shellfish being used on public systems, but also about their use in internal networks, where they are used as powers to jump to non-public systems.
Microsoft is urging companies to prioritize their approach to dealing with shellfish, which is slowly becoming one of today’s biggest security threats. As a way to network, the OS manufacturer recommends some basic actions:
- Patch systems facing public networks, as most shellfish are installed after attackers exploit unpatched vulnerabilities.
- Extend antivirus protection to web servers, not just employee workstations.
- Network segmentation to limit the damage of an infected server to a small selection of systems and not the entire network.
- Revise and review logs from web servers frequently, especially for audience-facing systems, which are more vulnerable to scanning and attack.
- Practice good identification hygiene. Restrict the use of accounts with local or domain admin rights.
- Check your firewall and proxy to restrict unnecessary access to services, including access to services through non-standard ports.