According to Cisco Talos Intelligence Group, malicious web shells surpassed ransomware as the top observed threat in the first quarter of 2023, comprising nearly 22 percent of incidents. Web shells allow remote administration on web servers. They may be used for legitimate purposes, but they are often installed by cyber criminals and other adversaries to gain unauthorized access to systems and networks, including those at universities.
The Talos Quarterly Report on Incident Trends provides the following details:
“The functionality of these web shells and the specific vulnerabilities and weaknesses in the platforms they targeted varied. Although each web shell had its own sets of basic functions, when there were multiple web shells present in a single engagement, threat actors chained them together to provide a more flexible toolkit for spreading access across the network. This demonstrates the skills actors have in combining multiple means of accesses and tools and increases the likelihood that they will be able to deploy additional malware or obtain sensitive and private information.”
The Need to Know blog series on the Talos site gives recommendations for prevention:
- Routinely update and patch all software and operating systems to identify and remediate vulnerabilities or misconfigurations in web applications and web servers.
- In addition to patching, perform general system hardening, including removing services or protocols where they are unnecessary and being aware of all systems exposed directly to the internet.
- Disable unnecessary php functions in your “php.ini”, such as eval(), exec(), peopen(), proc_open() and passthru().
- Frequently audit and review logs from web servers for unusual or anomalous activity.
Our Web Shells risk advisory has more information about this threat, with additional recommendations for prevention and detection.
Go to advisory
References
Talos
The Need to Know: What Is a Web Shell?
Quarterly Report: Incident Response Trends in Q1 2023