A rise in webshell attacks has been observed in recent months, posing new challenges for organizations trying to protect themselves from this evolving threat. Webshell attacks involve cybercriminals injecting a malicious file into a target web server’s directory and executing it from their web browser. While webshell attacks are not new, their execution methods have become increasingly sophisticated, making them harder to detect.
One of the reasons webshell attacks are difficult to detect is the multitude of ways in which they can be executed. Attackers can store webshells in various forms, such as in memory, on disk, within DNS tunnels, or encrypted within other protocols. Moreover, attackers have started hiding webshell payloads within cloud management applications on platforms like AWS and Azure, making it challenging to distinguish them from legitimate applications and functions.
Webshell attacks can be carried out through various tactics, with phishing attacks being a common method. For example, the Lazarus cybercrime group has been linked to a recent series of webshell attacks, specifically targeting Windows IIS servers. These attacks often exploit vulnerabilities and configurations in popular systems like Microsoft Exchange and Office 365.
Detecting webshell attacks has become increasingly challenging due to the ability of attackers to constantly change the appearance of webshells on the system. They can modify the webshell within seconds and adapt it for each connection, making it difficult to identify patterns. At the same time, attackers manipulate log and DNS traffic to cover their tracks, further complicating forensic analysis.
Once an attacker successfully executes a webshell, they gain access to the compromised host and can proceed to run additional attack tools, such as remote access trojans (RATs), exfiltrate data, or even execute ransomware. Moreover, they often use the compromised system to identify other vulnerable systems within an organization, leading to widespread damage. Monitoring logs of websites and domains accessed by organization users becomes a significant challenge, especially for large enterprises with thousands or tens of thousands of websites to monitor.
To mitigate the risk of webshell attacks, organizations should take a proactive approach to patching. The recent trend has shown that many attacks leverage vulnerabilities and configurations in Exchange servers, making patching a critical step in preventing webshell attacks. However, patching is not always an easy task, particularly for large organizations with a vast number of systems spread across different locations. Testing is often required before applying patches, and the process can take months or even longer. Additionally, some patch failures may further delay the patching process.
Prioritizing patching efforts is crucial when faced with numerous patches that need attention. The Exploit Prediction Scoring System (EPSS) can aid in this effort by predicting the likelihood of a vulnerability being exploited in the wild. Vulnerability management teams utilize EPSS to prioritize their work, but it can also serve as an early warning system for intelligence efforts. Fortinet’s Global Threat Landscape Report highlights that vulnerabilities with high EPSS scores are significantly more likely to be exploited within a week compared to others on the list.
In conclusion, webshell attacks continue to pose a significant threat to organizations, with their evolving techniques making them harder to detect. Prioritizing patching efforts and leveraging tools like EPSS can help organizations defend against webshell attacks effectively. Staying vigilant and regularly updating security measures remain essential in the ever-evolving threat landscape.