Web shells persist days after MOVEit mitigation

Exploiting a zero-day vulnerability successful MOVEit Transfer, criminals person deployed web shells connected susceptible record transportation servers and gained entree to a assortment of high-profile organizations. More than a week since remediation instructions were published, Netcraft has discovered web shells still coming connected servers associated pinch energy, healthcare, and finance companies.

Web shells are power panels utilized by criminals to exfiltrate information from compromised servers, tally exploits, and support distant access, often persisting agelong aft nan original vulnerability has been fixed.

Using zero-day vulnerabilities to instal web shells is not a caller tactic. We antecedently reported connected web shells installed via nan Microsoft Exchange ProxyLogon and ProxyShell vulnerabilities successful 2021. Two years later, Netcraft continues to observe caller installations of web shells connected still-vulnerable Microsoft Exchange servers.

Earlier this week, we confirmed nan beingness of web shells connected servers belonging to various companies, including 2 power companies and a ample state-chartered in installments union. This blog station explains what we found, and why web shells stay specified a cardinal constituent of nan cyber criminals' toolbox.

Investigation into MOVEit hack

Following connected from earlier internet scans, Netcraft probed astir 1 1000 internet-visible web servers moving MOVEit Transfer for nan beingness of web shells utilizing nan observed human2.aspx filename.

Affected servers tin beryllium identified by a clone 404 Not Found correction page utilized by nan web shell. Without nan correct password, nan human2 web ammunition returns a non-default 404 page pinch chopped HTML content.

False 404 page returned by a web ammunition coming astatine human2.aspx if a petition is made without a password specified successful nan petition headers. Many samples recovered online person different passwords, each of which look to beryllium randomly generated type 4 UUIDs.

Real 404 page returned by nan aforesaid server erstwhile visiting doesnotexist.aspx

Using this technique, we confirmed nan beingness of web shells connected hostnames belonging to various companies, almost surely placed location utilizing nan MOVEit vulnerability. Netcraft detected web shells installed via nan Microsoft Exchange ProxyLogon and ProxyShell vulnerabilities utilizing a akin technique.

Many of nan companies affected are US-based, but we besides detected instances successful Canada, Oman, and nan Philippines. The affected companies see those crossed energy, healthcare, and finance industries. Due to nan ample amounts of delicate customer data, and their position successful proviso chains, they whitethorn correspond appealing targets for ransomware.

Netcraft has notified nan affected companies, and astatine nan clip of penning astir of nan detected web shells are nary longer accessible.

What are web shells? And why are they truthful dangerous?

Web shells are ‘The Criminal’s Control Panel’, enabling a scope of cyber attacks utilizing compromised servers. Criminals tin nonstop spam emails, exfiltrate information for waste aliases a ransomware attack, and usage nan server to big different malicious content. For astir a 4th of nan web shells Netcraft finds, we besides find different forms of cybercrime connected nan aforesaid server including phishing, website defacement, cryptocurrency finance scams and malware.

Web shells tin beryllium designed pinch different purposes successful mind, and often criminals instal aggregate shells connected a compromised server to execute different tasks. For example, nan usage of “Mailers” to nonstop retired emails arsenic portion of a phishing run is peculiarly frequent: Netcraft has identified web ammunition mailers being utilized to nonstop phishing emails impersonating complete a 100 brands successful nan past 3 months.

Web shells are besides utilized arsenic a method of trading persistent administrative entree to a compromised server. Initial entree brokers run marketplace websites wherever users tin bargain aliases waste distant access. These listings see anonymized accusation astir nan server including hosting provider, operating system, and moreover SEO statistics.

Password protected web ammunition installations listed for waste connected an first entree broker’s site, nan existent value ranges betwixt 2 and 100 dollars.

Removing nan malicious contented aliases patching nan susceptible work unsocial intends that an attacker tin simply regain entree to nan tract and redeploy nan content. Long aft nan underlying vulnerability has been patched, web shells let continued administrative entree to nan server.

How tin Netcraft help?

Netcraft has been detecting and disrupting web shells since 2016, arsenic portion of our cybercrime detection, disruption, and takedown platform. In that time, we’ve taken down half a cardinal web shells. In nan past 3 months alone, we’ve detected much than 155,000 web shells crossed much than 27,500 different IPs and 40,000 different hostnames.

As web shells are intimately associated pinch different types of cybercrime, nan removal of linked web shells erstwhile taking down phishing, scams, and malware impersonating a morganatic statement removes nan devices disposable to cyber criminals and makes early attacks from nan aforesaid infrastructure much difficult.

Hosting and web providers tin besides usage Netcraft’s platform to person threat information which will notify them whenever web shells (or different malware, aliases phishing activity) are detected connected their infrastructure. Access to timely, validated alerts of cyber attacks deployed utilizing their infrastructure tin thief registrars and hosting companies to sphere their network’s integrity and their brand’s reputation.