Microsoft warns of growing number of cyberattacks using web shells

Microsoft has warned of an increase of cyberattacks using web shells. Cybercriminals often use web shells to secure their presence on compromised networks.

Compared to last year, the average monthly number of malicious web shells detected on compromised servers has doubled.

As the latest data from Microsoft 365 Defender shows, this trend not only continued, but also intensified: every month from August 2020 to January 2021, we recorded an average of 140,000 detections of these threats on servers.Microsoft said.

Microsoft’s Defender Advanced Threat Protection (ATP) report last year, based on data collected from 46,000 individual devices, averaged 77,000 detected on compromised web shell servers per month.

The growing number of cyberattacks using web-based shells Microsoft explains by the fact that they are very easy to use and effective. Typically, a web shell is a small piece of malicious code written in typical web development programming languages (eg ASP, PHP, JSP). Cybercriminals embed them on web servers, thereby providing themselves with remote access to these servers for further code execution.

Web shells allow attackers to run commands on servers to steal data or use the server as a launching pad for other actions, such as lateral movement, deployment of additional payloads, or keyboard actions.

Attackers install web shells on servers by exploiting vulnerabilities in web applications and servers connected to the Internet. In search of vulnerable installations, they scan the Internet using publicly available tools such as shodan.io. Cybercriminals often exploit vulnerabilities already fixed by the vendor, which, unfortunately, have not been fixed by system administrators.

Once installed on the server, web shells are one of the most effective means of maintaining persistence in attacked corporate networks.

We often see cases where web shells are used exclusively as a persistence mechanism. Web shells provide a backdoor on a compromised network because after gaining initial access to a server, an attacker leaves a malicious implant on it. If not detected, web shells provide an attacker with the ability to continue to collect data and monetize the networks to which they have access.Microsoft reports.

Let me remind you that I also reported that Microsoft accused Russia and North Korea of attacks on pharmaceutical companies.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *