Add to favorites <\/p>\n
Administrators should not assume that a modification is authentic simply because it appears to have occurred during a maintenance period.<\/p>\n
As web shell attacks continue to be a persistent threat the U.S. National Security Agency (NSA) and the Australian Signals Directorate (ASD) have released a detailed advisory and a host of detection tools on GitHub.<\/p>\n
Web shells are tools that hackers deploy into compromised public-facing or internal server that give them significant access and allow them to remotely execute arbitrary commands. They are a powerful tool in a hackers arsenal, one that can deploy an array of payloads or even move between device within networks.<\/p>\n
The NSA warned that: Attackers often create web shells by adding or modifying a file in an existing web application. Web shells provide attackers with persistent access to a compromised network using communication channels disguised to blend in with legitimate traffic. Web shell malware is a long-standing, pervasive threat that continues to evade many security tools<\/p>\n
A common misconception they are trying to dispel is that hackers only target internet-facing systems with web shell attacks, but the truth is that attackers are regularly using web shells to compromise internal content management systems or network device management interfaces.<\/p>\n
In fact these types of internal systems can be even more susceptible to attack as they may be the last system to be patched.<\/p>\n
In order to help IT teams mitigate these types of attacks the NSA and ASD have released a seventeen page advisory with mitigating actions that can help detect and prevent web shell attacks.<\/p>\n
Web shell attacks are tricky to detect at first as they designed to appear as normal web files, and hackers obfuscate them further by employing encryption and encoding techniques.<\/p>\n
One of the best ways to detect web shell malware is to have a verified version of all web applications in use. These can then be then used to authenticate production applications and can be crucial in routing out any discrepancies.<\/p>\n
However the advisory warns that while using this mitigation approach administrators should be wary of trusting times stamps as, some attackers use a technique known as timestomping to alter created and modified times in order to add legitimacy to web shell files.<\/p>\n
They added: Administrators should not assume that a modification is authentic simply because it appears to have occurred during a maintenance period.<\/p>\n
The joint advisory warns that web shells could be simply part of a larger attack and that organisations need to quickly figure out how the attackers gained access to the network.<\/p>\n
Packet capture (PCAP) and network flow data can help to determine if the web shell was being used to pivot within the network, and to where. If such a pivot is cleaned up without discovering the full extent of the intrusion and evicting the attacker, that access may be regained through other channels either immediately or at a later time, they warn.<\/p>\n
To further help security teams the NSA has released a dedicated GitHub repository that contains an array of tools that can be used to block and detect web shell attacks.<\/p>\n
<\/p>\n
Follow this link:<\/p>\n
NSA Web Shell Advisory and Mitigation Tools Published on GitHub - Computer Business Review<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" Add to favorites Administrators should not assume that a modification is authentic simply because it appears to have occurred during a maintenance period. As web shell attacks continue to be a persistent threat the U.S. Continue reading