Australian and US governments issue first joint guidance to protect against web shell threats

Unless you’ve been hiding under a doona all year you’re probably aware of the increase in successful cyber attacks using malware to gain access an organisation’s systems, disrupt their operations and extort ransoms.

Perhaps the most high-profile case was Toll Group, which reported not one but two ransomware attacks in quick succession that caused widespread disruption to customers. And there have been plenty of others including P&N Bank, Service NSW, MyBudget, Fisher & Paykel and Lion.

It’s easy to blame rising numbers of attacks on the increase in people working from home because of COVID-19. Many home workers are using poorly secured systems and there is an ever-present temptation to click on email links and attachments from dubious sources.

While that is a definitely a major attack vector – and we’ve seen organisations racing to lock down unprotected endpoints but whatever means possible as a result – it doesn’t tell the whole story when it comes to malware attacks. Importantly, there remain significant vulnerabilities in many organisations’ defences.

The Australian Cyber Security Centre (ACSC) recently highlighted the fact that there are other ways for malware to gain access to systems in an advisory posted under the useful heading of “Detect and prevent web shell malware”.

“Malicious web shells are a type of software uploaded to a compromised web server to enable remote access by an attacker,” says the advisory, and “their use by cyber adversaries is becoming more frequent due to the increasing use of web-facing services by organisations across the world”.

First joint guidance from the ASD and NSA

As a result, “The Australian Signals Directorate and counterparts at the US National Security Agency (NSA) have for the first time jointly published new guidance on mitigating the threat of web shell malware.”

The advisory is significant. It makes it clear that there has been enough of an uptick in attacks throughout 2019, and of a high enough risk weighting, to warrant the advisory, “due to the increasing use of web shells by adversaries to gain reliable access to compromised systems”.

This is before taking into account any increase in cyber attacks this year. Or the fact that, post COVID-19, it’s become harder to defend against attacks given the dispersed nature of the workforce which both increases an organisation’s attack surface and stretches their defensive capabilities.

The ASD and the NSA suggest a number of measures that organisations can take to detect and protect themselves against web shell malware. Like many government advisories, it can be hard to know where to start. But it really doesn’t have to be difficult if you take a solutions-led approach.

Restrict file types and sanitise uploaded files

George Prichici, Director of Product Management for OPSWAT, a US-based cyber security company focused on protecting critical infrastructure, explains why web shell attacks are becoming popular with malicious actors.

In general, to run a web shell, you will need to exploit a vulnerability in the system to allow you to run your uploaded file, says Prichici. “If I’m able to execute code on the server (RCE) or perform a Local File Inclusion, then web shell or remote shell will be the natural thing to do to pretty much open a backdoor on your server.”

If the web app allows a file upload functionality, with almost no restrictions, then it is almost too easy for malicious actors, he says. “Detecting a web shell using signatures is not trivial and can be quite easily bypassed. At the end of the day, you can repackage it, hide it in some regular accepted files, etc.”

To protect against these vulnerabilities, Prichici has some advice and recommendations for organisations and their service providers.

Firstly, restrict the file types. “ALWAYS check the true file type on the server side – don’t rely on file extension, or even worse the Content-Type. Then scan the files. Some AV engines have signatures/heuristics for some of the popular web shells. If attackers are trying to upload a web shell to my service, I would most certainly want to know.”

Finally and most importantly, he says, sanitise all uploaded files, even if you have already restricted the file types. “Check the file structure and remove additional artifacts. There are countless examples where the payload was delivered using regular productivity files but added as active content or hidden in some advanced file properties/metadata (e.g. encoded payload found in EXIF image data). Using sanitisation, you’ll be able to remove the payload.”

In summary, according to Prichici, not relying on detection and always sanitising the input file content, you will be able to prevent any potentially malicious script by either rejecting the file or by removing the code embedded in what seems to be legitimate files.

Detect and remediate web shell vulnerabilities

Nicholas Sciberras, CTO of Acunetix, a company that specialises in detecting web application vulnerabilities and the attack methods used to exploit them, also counsels against relying on detection alone.

Unprotected file upload functionality is just one of many vulnerabilities that may allow an attacker to upload malicious files to an organisation’s servers, he says. “With targeted attacks, detecting those files can be hit and miss. We know from experience that one of the best mitigation strategies an organisation can use is to detect vulnerabilities and remediate them before they are exploited.”

“Identifying vulnerabilities like unrestricted file upload, RFI, SQLi, XSS and other vulnerabilities that facilitate the ability for malicious hackers to upload nefarious web shells to the web servers is critical,” says Sciberras. “Closing these holes is relatively straightforward, but if they hadn’t been detected early on, post-incident clean-up and recovery could have been disastrous.”


About emt Distribution

emt Distribution is an Adelaide-based value added distributor and vendor representative with a presence in Australia, Singapore, Hong Kong, Philippines, UAE and South Africa. It also works closely with like-minded distributors in the UK, Netherlands and Germany. emt offers cyber security solutions that address the top four mitigation strategies to prevent cyber security incidents, the broader strategies in the Australian Government’s Information Security Manual (ISM) and solutions to address Cyber Threat Management.

emt Distribution assists channel partners, MSPs and MSSPs to deliver cyber security solutions their customers need. emt offers pre and post-sales support, channel development, engaged sales processes and marketing assistance for both vendors and channel partners. See: www.emtdist.com