NSA, ASD publish advisory for detecting and mitigating web shell malware

Malicious web shells can evade detection from most security tools, so they are difficult to detect

The US National Security Agency (NSA) and the Australian Signals Directorate (ASD) have released a joint security guidance on techniques that can be used detect and prevent web shell malware from affecting web servers.

Malicious web shells have been a threat for several years, according to NSA, and can be deployed on a compromised internal or internet-facing server to gain or retain access on compromised networks.

Hackers use these programmes to execute arbitrary system commands, which are usually sent over HTTPS. They also allow threat actors to deliver additional malware payloads on infected servers and to pivot to other machines within the network.

Web shell malware are usually difficult to detect as they are able to evade detection from most security tools.

Cyber actors can upload malicious web shells onto vulnerable web servers in a variety of forms, such as app plugins, Unix shell scripts, ASP and PHP code snippets that are injected within pages of a web application, and programmes specifically created to provide web shell features.

Most web shells enable attackers to copy, rename, edit, upload or move new files on an infected server. Hackers can also use them to modify directory and file permissions or to steal sensitive data from the server.

Cyber actors usually deploy malicious web shells by exploiting security flaws in internet-facing servers or web applications, such as content management systems (CMS), CMS themes, CMS plugins, enterprise apps, intranet, etc.

The advisory [pdf] from NSA warns admins about the misperception that only internet facing web servers are targeted by hackers for web shells.

"Attackers frequently deploy web shells on non-internet facing web servers, such as internal content management systems or network device management interfaces. Internal web applications are often more susceptible to compromise due to lagging patch management or permissive security requirements," NSA cautions.

The security guidance discusses techniques that security teams can use to discover hidden web shells, to manage recovery processes after finding web shells, and to prevent hackers from deploying such malicious programmes on unpatched servers. For example, the advisory provides log queries and sample scripts that admins can use to detect anomalies in systems.

"A critical focus once a web shell is discovered should be on how far the attacker penetrated within the network," the advisory says.

"Packet capture (PCAP) and network flow data can help to determine if the web shell was being used to pivot within the network, and to where."

"If such a pivot is cleaned up without discovering the full extent of the intrusion and evicting the attacker, that access may be regained through other channels either immediately or at a later time."