Web Shells and Lateral Movement

Understanding Web Shells

A web shell is a malicious script or program that is uploaded to a compromised web server. It provides an attacker with a backdoor, granting them remote access to the server's file system and network. This access can be used to execute commands, steal data, or further compromise other systems within the network.

Lateral Movement: A Key Attack Vector

Once an attacker has gained initial access to a system, their primary goal is often to expand their foothold within the network. This process is known as lateral movement. By moving from one compromised system to another, attackers can gain access to more valuable data and resources.

Web Shells as a Tool for Lateral Movement

Web shells can be a powerful tool for lateral movement. Here are some common techniques attackers may employ:

1. File Transfer: Attackers can use web shells to upload or download files, including executable binaries that can be used to compromise other systems.

2. Command Execution: Web shells allow attackers to execute arbitrary commands on the compromised server. This can be used to scan the network for vulnerable systems, exploit vulnerabilities, or establish additional backdoors.

3. Credential Harvesting: Attackers may use web shells to search for sensitive information, such as passwords or credentials stored on the compromised system. This information can then be used to gain access to other systems within the network.

The Ivanti ConnectSecure Attacks

In 2021, a series of attacks targeting Ivanti ConnectSecure appliances demonstrated the devastating potential of web shells for lateral movement. The attackers exploited a vulnerability in the ConnectSecure software to upload a web shell to the affected devices. This web shell was then used to gain access to the network and compromise other systems.

The attackers used the web shell to:

• Harvest credentials: They extracted credentials for other systems within the network, including Active Directory domain controllers.

• Establish additional backdoors: They deployed additional malware, such as ransomware, to encrypt sensitive data and extort victims.

• Lateral movement: They moved from compromised ConnectSecure appliances to other systems within the network, expanding their attack surface.

  
  

Preventing Web Shell Attacks

To protect your organization from web shell attacks, it is essential to implement robust security measures. Here are some key recommendations:

• Patch vulnerabilities promptly: Keep all software, including web servers and network devices, up-to-date with the latest security patches.

• Monitor network traffic: Use intrusion detection systems (IDS) and intrusion prevention systems (IPS) to monitor network traffic for suspicious activity, such as web shell uploads or unusual command executions.   

• Employ real-time detection mechanisms: Incorporate a real-time detection and quarantine system for malicious web shells or URLs to ensure threats that make it through your external defenses can be contained.

Resources:

• Ivanti ConnectSecure Attacks:

  • SecurityWeek: https://www.ivanti.com/blog/security-update-for-ivanti-connect-secure-and-ivanti-policy-secure-gateways

  • Bleeping Computer: https://www.bleepingcomputer.com/tag/ivanti/

• Web Shells and Lateral Movement:

  • Cybersecurity Awareness Month: https://www.cisa.gov/cybersecurity-awareness-month

  • Microsoft Security Blog: https://www.microsoft.com/en-us/security/blog/