Microsoft said the number of web shells has doubled since last year

Microsoft says it's seeing around 140,000 web shells a month, up from roughly 77,000 last August.
Written by Catalin Cimpanu, Contributor
Image: Microsoft

Microsoft says the number of malicious web shells installed on web servers has almost doubled since its last count, last year in August 2020.

In a blog post yesterday, the Redmond company said it detected roughly 140,000 web shells per month between August 2020 and January 2021, up from the 77,000 average it reported last year.

The number has increased as a result of a shift in how hackers view web shells. Once considered a tool for script kiddies defacing websites and the go-to tool of DDoS botnet operators, web shells are now part of the arsenal of ransomware gangs and nation-state hackers alike and are crucial tools used in complex intrusions.

Two of the reasons they have become so popular is their versatility and access they provide to hacked servers.

Web shells, which are nothing more than simple scripts, can be written in almost any programming language that runs on a web server —such as PHP, ASP, JSP, or JS— and such, can be easily hidden inside a website's source code. This makes detecting them a difficult operation, which often involves a manual analysis from a human operator.

In addition, web shells provide hackers with a simple way to execute commands on a hacked server via a graphical or command-line interface, providing attackers with a simple way to escalate attacks.

Web shells more prevalent as more servers are put online

As the corporate IT space has moved towards hybrid cloud environments, the number of companies running web servers has increased over the past few years, and, in many cases, public-facing servers often have direct connections to internal networks.

As Microsoft's stats have shown, attackers appear to have figured out this change in the makeup of corporate IT networks as well, and have amped up their attacks on public-facing systems.

Web shells now play a crucial role in their attacks, providing a way to control the hacked server and then orchestrate a pivot to a target's internal network.

These types of attacks are exactly what the US National Security Agency warned about in April 2020 when it published a list of 25 vulnerabilities that were often used to install web shells.

The NSA report didn't just warn about web shells used on public-facing systems but also about their use inside internal networks, where they're used as proxies to jump to non-public-facing systems.

Microsoft urges companies to re-prioritize their approach to dealing with web shells, which are slowly becoming one of today's biggest security threat. As ways to keep networks secure, the OS maker recommends a few basic actions:

  • Patch public-facing systems, as most web shells are installed after attackers exploit unpatched vulnerabilities.
  • Extend antivirus protections to web servers, not just employee workstations.
  • Network segmentation to limit the damage of an infected server to a small array of systems and not the entire network.
  • Audit and review logs from web servers frequently, especially for public-facing systems, which are more vulnerable to scans and attacks.
  • Practice good credential hygiene. Limit the use of accounts with local or domain admin level privileges.
  • Check your perimeter firewall and proxy to restrict unnecessary access to services, including access to services through non-standard ports.

The biggest hacks, data breaches of 2020 (so far)

Editorial standards