Microsoft Reports Malicious Web Shells Doubled in 2020
Microsoft's Detection and Response security team reported a dramatic increase in malicious web shell detections over the course of 2020. This surge shows a continuing trend that got more significant in the last few months.
The monthly average number of malicious web shell instances detected by Microsoft's security team over the course of the months between August 2020 and January 2021 rose from 77,000 to 140,000 on a year-over-year basis.
The research team explains this increase with the great flexibility and utility that web shells offer malicious actors. Malicious web shells are coded using standard web programming languages such as ASP, JSP and JS and are very easy to hide in normal code.
They are usually hard to find without a human operator going through the mass of server code and allow bad actors to execute code and commands on the compromised server remotely.
Web shells would often use known and fixed vulnerabilities and sneak onto servers that have not yet been patched.
Microsoft also outlined the danger of web shells being used as mechanisms to ensure malicious persistence on a network.
Once deployed and undetected, a web shell can serve as a backdoor that bad actors can use to deploy further malicious tools on the network and mine sensitive information from the compromised systems. It is not uncommon for a web shell to be used as the focal point of a large-scale attack on a compromised network.
The rapid deployment of new servers to make up for the increased demand for cloud functionality and storage is also giving malicious actors a lot of new targets for attack.
The increase in detected malicious web shells was also attributed in part to the increase of new server instances that came with the global 2020 Covid pandemic.