How to Detect & Prevent Cyberattackers from Exploiting Web Servers via Web Shell Malware
Malicious cyber actors have increasingly leveraged web shells to gain or maintain access on victim networks. According to the U.S. National Security Agency (NSA), web shell malware is software deployed by a hacker, usually on a victim’s web server, that can execute arbitrary system commands, commonly sent over HTTPS. To harden and defend web servers against this threat, NSA and the Australian Signals Directorate have issued a dual-seal Cybersecurity Information Sheet (CSI). The guide contains valuable information on how to detect and prevent web shell malware from affecting Department of Defense and other government web servers, though the guidance would likely also be useful for any network defenders responsible for maintaining web servers.
Web shell malware has been a threat for years and continues to evade detection from most security tools, says the NSA. Malicious cyber actors are increasingly leveraging this type of malware to get consistent access to compromised networks while using communications that blend in well with legitimate traffic, which means attackers might send system commands over HTTPS or route commands to other systems, including to your internal networks, which may appear as normal network traffic, adds the NSA.