Web shells are tools deployed by threat actors on already hacked servers to gain and maintain access. They allow these hackers to remotely execute arbitrary code or commands, move laterally within a network or deliver malicious payloads. Last year the number of monthly web shell attacks nearly doubled, reported Microsoft. Last year an average of 140,000 of these malicious actors were found on compromised servers every month.
Web shell attacks can be deployed in many different ways. For example, in app plugins, PHP or ASP code snippets injected within web apps or even Perl, Python, Ruby and Unix shell scripts. Microsoft has stated that: “The latest Microsoft 365 Defender data shows that this trend not only continued, it accelerated: every month from August 2020 to January 2021, we registered an average of 140,000 encounters of these threats on servers.” On top of this, the U.S. National Security Agency (NSA) has also issued a warning regarding threat actors that are increasing their attacks on vulnerable web servers, saying “Malicious cyber actors have increasingly leveraged web shells to gain or maintain access on victim networks.”