The Australian Signals Directorate (ASD) and the United States National Security Agency (NSA) intelligence agencies have jointly published guidance to help organisations counter the threat from so-called web shells, or malware that is planted on servers for computer network exploitation.
ASD and NSA said web shell malware is a long-standing pervasive threat that is difficult to detect as it continues to evade many security tools.
Web shell malware such as "China Chopper" that was used in the theft of Australian defence contractor plans in 2017 can be deployed on systems by exploiting web application vulnerabilities, or by uploading malicious code to compromised systems.
The intelligence agencies warned that it is a common misperception that only internet facing systems are targeted for web shells.
"Attackers frequently deploy web shells on non-internet facing web servers, such as internal content management systems or network device management interfaces. Internal web applications are often more susceptible to compromise due to lagging patch management or permissive security requirements," ASD and NSA cautioned.
With web shells in place, threat actors can use the malware as persistent backdoors into systems, or as relay nodes to route commands for attacks of other systems, ASD and NSA said.
Discovering web shells can be difficult but a defence-in-depth approach that uses multiple detection capablities is most likely to find the malware, the security agencies said.
The guidance is available to the public [pdf] and provides sample scripts and log queries for detecting anomalies in systems, as well as network traffic signatures to spot common web shells.
ASD and NSA listed eleven applications that if unpatched, contain commonly targeted and exploited vulnerabilties.
Microsoft SharePoint and Exchange Server, multiple Citrix products, Adobe ColdFusion, the WordPress Social Warfare plugin as well as Zoho ManageEngine Service Desk Plus and Desktop Central, and the Progress Telerik UI contain vulnerabilties that should be patched on internal and internet-facing systems to avoid being infested with web shells, ASD and NSA advised.
Atlassian's Confluence Server, Confluence Data Centre, Crowd and Crowd Data Centre are also in attackers' cross-hairs with three exploitable vulnerabilties available that should be patched.
Five-Eyes intelligence sharing alliance members USA, United Kingdom, Australia, Canada and New Zealand have long warned about Advanced Persistent Threat actors and criminal groups using web shells as exploitation vectors, but they continue to be a menace for government and private organisations.
