Add to favorites
Administrators should not assume that a modification is authentic simply because it appears to have occurred during a maintenance period.
As web shell attacks continue to be a persistent threat the U.S. National Security Agency (NSA) and the Australian Signals Directorate (ASD) have released a detailed advisory and a host of detection tools on GitHub.
Web shells are tools that hackers deploy into compromised public-facing or internal server that give them significant access and allow them to remotely execute arbitrary commands. They are a powerful tool in a hackers arsenal, one that can deploy an array of payloads or even move between device within networks.
The NSA warned that: Attackers often create web shells by adding or modifying a file in an existing web application. Web shells provide attackers with persistent access to a compromised network using communication channels disguised to blend in with legitimate traffic. Web shell malware is a long-standing, pervasive threat that continues to evade many security tools
A common misconception they are trying to dispel is that hackers only target internet-facing systems with web shell attacks, but the truth is that attackers are regularly using web shells to compromise internal content management systems or network device management interfaces.
In fact these types of internal systems can be even more susceptible to attack as they may be the last system to be patched.
In order to help IT teams mitigate these types of attacks the NSA and ASD have released a seventeen page advisory with mitigating actions that can help detect and prevent web shell attacks.
Web shell attacks are tricky to detect at first as they designed to appear as normal web files, and hackers obfuscate them further by employing encryption and encoding techniques.
One of the best ways to detect web shell malware is to have a verified version of all web applications in use. These can then be then used to authenticate production applications and can be crucial in routing out any discrepancies.
However the advisory warns that while using this mitigation approach administrators should be wary of trusting times stamps as, some attackers use a technique known as timestomping to alter created and modified times in order to add legitimacy to web shell files.
They added: Administrators should not assume that a modification is authentic simply because it appears to have occurred during a maintenance period.
The joint advisory warns that web shells could be simply part of a larger attack and that organisations need to quickly figure out how the attackers gained access to the network.
Packet capture (PCAP) and network flow data can help to determine if the web shell was being used to pivot within the network, and to where. If such a pivot is cleaned up without discovering the full extent of the intrusion and evicting the attacker, that access may be regained through other channels either immediately or at a later time, they warn.
To further help security teams the NSA has released a dedicated GitHub repository that contains an array of tools that can be used to block and detect web shell attacks.
Follow this link:
- The NSA Does Not Deny Reading Tucker Carlsons Emails - July 12th, 2021
- Home, but Not Free: NSA Whistleblower Reality Winner Adjusts to Her Release From Prison - The Intercept - July 12th, 2021
- Congress newest subcommittee is focusing on cyber troops and JEDI - Federal News Network - February 11th, 2021
- End the war on whistleblowers - The Week - February 11th, 2021
- NSA Warned Russia to Stay Out Of 2020 Election And Got SolarWinds Hack Instead - NPR - February 1st, 2021
- Biden administration will build on the Quad: NSA Jake Sullivan - The Hindu - February 1st, 2021
- William P. Crowell, Former Deputy Director of the National Security Agency, Joins LookingGlass Advisory Board - HSToday - February 1st, 2021
- SolarWinds Is Not the 'Hack of the Century.' Its Blowback for the NSA's Longtime Dominance of Cyberspace - Common Dreams - February 1st, 2021
- NSA fumes over the violation of coronavirus safety protocols - GhanaWeb - February 1st, 2021
- A Top Biden Cybersecurity Aide Donated Over $500000 to AIPAC as an NSA Official Mother Jones - Mother Jones - February 1st, 2021
- What to expect from NASS and NASED conferences - Politico - February 1st, 2021
- Companies Pay Criminal Penalties And Compensation For Undermining Competition - JD Supra - February 1st, 2021
- Split Up NSA and CYBERCOM - Defense One - December 28th, 2020
- Edward Snowden Pardon and the SolarWinds Hack | - City Journal - December 28th, 2020
- Edward Snowden and wife share photos of newborn son amid push for Trump to pardon NSA leaker - Washington Times - December 28th, 2020
- NSA Year in Review: Election Security, Cybersecurity, and More - HSToday - December 28th, 2020
- No, the United States Does Not Spend Too Much on Cyber Offense - Council on Foreign Relations - December 28th, 2020
- The US has suffered a massive cyberbreach. It's hard to overstate how bad it is - The Guardian - December 28th, 2020
- Satoshi Nakamoto from NSA, AntiChrist and Other Bitcoin Conspiracy Theories - Cryptonews - December 28th, 2020
- How A Cybersecurity Firm Uncovered The Massive Computer Hack - NPR - December 28th, 2020
- Snowden and Assange Deserve Pardons. So Do the Whistleblowers Trump Imprisoned. - The Intercept - December 28th, 2020
- National Security Agency - Wikipedia - October 10th, 2020
- Talks with China will not help says USA NSA on situation on Ladakh - Oneindia - October 10th, 2020
- How to choose the right multifactor authentication program - Federal News Network - October 10th, 2020
- UofL to launch health care cybersecurity curriculum with $6.3 million from National Security Agency, pilot focused on veterans and first responders -... - October 10th, 2020
- National Storage Affiliates Trust Announces Date of its Third Quarter 2020 Earnings Release and Conference Call - Business Wire - October 10th, 2020
- NSA announces new Autumn webinar series 'Feeding the flock and getting it right' - The Scottish Farmer - October 10th, 2020
- How the NSA is disrupting foreign hackers targeting COVID-19 vaccine research - TechCrunch - September 18th, 2020
- Crime Prevention and Community Outreach, Common Goals for NSA and NYPD Commissioner - Abasto, Food and Beverage Industry News - September 18th, 2020
- Deputy NSA gets one year extension - The Hindu - September 18th, 2020
- Exceeding All Expectations: A Journey of Adversity, Triumph and Eternal Optimism - Worth - September 18th, 2020
- Huge threat to national security as hackers attack NIC computers, steal sensitive information - DNA India - September 18th, 2020
- Police: 2 more held in Agra boys kidnap-murder, NSA to be invoked - The Indian Express - September 18th, 2020
- NSA to be invoked against miscreants involved in killing Malihabad farmer: Lucknow DM - Outlook India - September 18th, 2020
- Did the NSA spy on Congress? RT The World According to Jesse - RT - September 5th, 2020
- Nebraska native, 101, defied convention: She served in South Pacific, with MacArthur and at NSA - Omaha World-Herald - September 5th, 2020
- NSA Ajit Doval reviews situation at India-China border - The New Indian Express - September 5th, 2020
- NSA Webinar Part 3: Skills Development and the future of learning during and post the Covid-19 pandemic - Mail and Guardian - September 5th, 2020
- ICE Robotics Expands Offering With NSA Partnership - CleanLink - September 4th, 2020
- National Security Agency | History, Role, & Surveillance ... - August 16th, 2020
- The NSA and FBI Expose Fancy Bear's Sneaky Hacking Tool - WIRED - August 16th, 2020
- NSA and FBI Expose Russian Previously Undisclosed Malware Drovorub in Cybersecurity Advisory FBI - Federal Bureau of Investigation - August 16th, 2020
- Shah Faesal reached out to NSA before he quit party; open to IAS return - Hindustan Times - August 16th, 2020
- How has the pandemic impacted work at the NSA? - C4ISRNet - August 10th, 2020
- Election interference efforts have shifted, NSA and Cyber Command election threats leads say - CyberScoop - August 10th, 2020
- Did Hedge Funds Make The Right Call On National Storage Affiliates Trust (NSA)? - Yahoo Finance - August 10th, 2020
- National Speakers Association Inducts Mary Kelly, Ph. D. into the Speaker Hall of Fame - The Grand Junction Daily Sentinel - August 10th, 2020
- For 2020 Election, Threat is Bigger than Russia > US DEPARTMENT OF DEFENSE - Department of Defense - August 10th, 2020
- The White House reportedly quashed part of an intelligence report that showed Russia is helping the Trump campaign - MSN Money - August 10th, 2020
- GFA Express Appreciation To NSA | General Sports - Peace FM Online - August 10th, 2020
- NSA O'Brien Says US Has 'Sanctioned The Heck Out Of Russia' - Newsmax - August 10th, 2020
- DHS Warns of a Persistent Cyber Threat Targeting Critical Infrastructure in the U.S. - CPO Magazine - August 10th, 2020
- Money Explodes; Gold Glitters; The Recovery Slows - Forbes - August 10th, 2020
- NSA Reports on New Cyber Vulnerability in Computers - ExecutiveGov - August 10th, 2020
- The Trump administration reportedly quashed an intelligence report that showed Russia is helping him win the 2020 election - MSN Money - August 10th, 2020
- There Will Be Blowback - Forbes - August 10th, 2020
- What and how are you thinking? Anything is possible - Martins Ferry Times Leader - August 10th, 2020
- TikTok and National Security: The Need for a Comprehensive U.S. Privacy Law - Security Boulevard - August 10th, 2020
- Buhari to overhaul the nation's security apparatus, says NSA - TheCable - August 10th, 2020
- Trump quashed report section showing Russia is helping him win 2020 - Business Insider - Business Insider - August 9th, 2020
- NSA Sheep 2020 to be a virtual sheep show - South West Farmer - August 8th, 2020
- All you need to hijack a Mac is an old Office document and a .zip file - TechRadar - August 8th, 2020
- Silicon Valley's Vast Data Collection Should Worry You More Than TikTok - Jacobin magazine - August 8th, 2020
- T-Mobile Is The First Carrier Globally To Launch Nationwide Standalone (SA) 5G - Forbes - August 7th, 2020
- The Room Where It Happened: Former US NSA exposes the frailties of the Trump administration - The Financial Express - August 4th, 2020
- NSA Sheep 2020 to go virtual over two days - FarmingUK - July 31st, 2020
- Protect Our Power Urges Vigilance in Response to NSA and CISA Warning on Critical Infrastructure - PRNewswire - July 31st, 2020
- A "Time of Heightened Tensions": Homeland Security and National Security Agency Issue Joint Cybersecurity Alert - JD Supra - July 31st, 2020
- Amid 'heightened tensions,' US government issues warning to critical infrastructure providers - Utility Dive - July 31st, 2020
- Garmin Hack, Glitch in Flight Navigation and an NSA Warning: The Massive Threat of WastedLocker - News18 - July 31st, 2020
- Netflix is looking to Splinter Cell for its next big video game adaptation - The Verge - July 31st, 2020
- US real GDP to expand by 15% in Q3 TDS - FXStreet - July 31st, 2020
- Two Rebels Against the Establishment: Oliver Stone and Edward Snowden - CounterPunch - July 31st, 2020
- Orange announces it will launch 5G later this year - Explica - July 31st, 2020
- Privacy Shield Struck Down: Schrems II Just When You Thought it Was Safe to Go Back in the Harbor - JD Supra - July 31st, 2020
- CISA, NSA warn of threat to ICS. Garmin incident may be ransomware. Blackbaud hack spreads. Sino-American cyber tension. - The CyberWire - July 30th, 2020
- Top 10 world news today: Trump`s NSA Robert O`Brien tests positive for COVID-19, Rohingya refugees found alive and more - WION - July 30th, 2020
- NSA and CISA Recommend Immediate Actions to Reduce Exposure Across Operational Technologies and Control Systems - HSToday - July 29th, 2020
- NSA clears the air on national teams - BusinessGhana - July 29th, 2020
- Netball SA hoping to host Scotland this year amid coronavirus outbreak - News24 - July 29th, 2020