2 min Security

Microsoft says Web shell usage by hackers is on the rise

Microsoft says Web shell usage by hackers is on the rise

Researchers say that the Web shell attacks continue to increase worldwide.

The Microsoft Defender Security Research Team has reported a troubling rise in “Web shell encounters” on servers across the globe.

Web shells allow remote hackers to do most of the same things legitimate administrators can do. This is why they are so dangerous. Once they have installed a Web shell, hackers can use them to run commands that steal data and execute malicious code.

Last year’s “steady increase” in attacks is continuing in 2021

The Microsoft Research Team’s Detection and Response Team (DART) published a blog post last week that detailed what they were seeing in terms of Web shell attacks.

“One year ago, we reported the steady increase in the use of web shells in attacks worldwide,” they write. “The latest Microsoft 365 Defender data shows that this trend not only continued, it accelerated.”

In fact, every month from August 2020 to January 2021, DART registered an average of 140,000 encounters of these threats on servers. This rate is almost double the 77,000 monthly average the Team saw in 2020.

Web shell simplicity makes them more dangerous

The escalating prevalence of web shells may be attributed to how simple and effective they can be for attackers, according to DART. A web shell is typically a small piece of malicious code written in typical web development programming languages (e.g., ASP, PHP, JSP).

Attackers implant this code on web servers to provide remote access and code execution to server functions. Web shells allow attackers to run commands on servers to steal data or use the server as a launch pad for other activities. Those malicious activities include credential theft, lateral movement, deployment of additional payloads, or hands-on-keyboard activity.

The DART blog post concludes with a list of seven steps that organizations can take to harden themselves against Web shell attacks. These include such things as utilizing the Windows Defender Firewall and enabling virus protection on web servers. Of course, the best thing an enterprise can do according to DART is to use Microsoft 365 Defender to protect themselves.