[German]The US secret service NSA and the Australian secret service have issued a joint warning. Hackers are increasingly trying to exploit unpatched vulnerabilities in products to infiltrate systems via web shell malware.
Advertising
The following tweet links to a corresponding document of the NSA/CSS, which warns against cyber attacks on known vulnerabilities.
Malicious cyber actors are actively using web shells in their intrusion campaigns.
Protect your networks—apply the mitigations listed in the @NSAGov and @ASDGovAu #Cybersecurity Information Sheet found here: https://t.co/5BGbm1Ewy0 pic.twitter.com/6BUf9UV2t1
— NSA/CSS (@NSAGov) April 22, 2020
Bleeping Computer writes here, that the Australian Signals Directorate (ASD) also issues this common warning. In a joint report, NSA and ASD warn of cyber attacks that exploit increasingly vulnerable web servers to use web shells. "Malicious cyber-actors are increasingly using web shells to gain or maintain access to victims' systems," writes NSA.
Web shells as a backdoor
Web shells are malicious tools that hackers can use on a compromised internal or Internet-exposed server to gain and maintain access. Web shells also allow remote execution of arbitrary commands, deliver additional malware payloads, and access other devices within a network.
Web shells can be uploaded in a variety of forms to vulnerable servers. This ranges from programs designed specifically to provide Web shell functionality, to Perl, Ruby, Python, and Unix shell scripts, to application plug-ins, and to PHP and ASP code snippets that are inserted into the pages of a Web application.
Advertising
Detect and block
The 17-page security guide published by the two secret services contains a wealth of information for security teams. This ranges from the detection of hidden web shells to the reaction and elimination of detected infections. It also lists the exploited vulnerabilities.
| Vulnerability Identifier | Affected Application | Reported |
| CVE-2019-0604 | Microsoft SharePoint | 15 May 2019 |
| CVE-2019-19781 | Citrix Gateway, Citrix Application Delivery Controller, and Citrix SD-WAN WANOP appliances | 22 Jan 2020 |
| CVE-2019-3396 | Atlassian Confluence Server | 20 May 2019 |
| CVE-2019-3398 | Atlassian Confluence Server and Atlassian Confluence Data Center | 26 Nov 2019 |
| CVE-2019-9978 | WordPress "Social Warfare" Plugin | 22 Apr 2019 |
| CVE-2019-18935 CVE-2017-11317 CVE-2017-11357 |
Progress Telerik UI | 7 Feb 2019 |
| CVE-2019-11580 | Atlassian Crowd and Crowd Data Center | 15 July 2019 |
| CVE-2020-10189 | Zoho ManageEngine Desktop Central | 6 Mar 2020 |
| CVE-2019-8394 | Zoho ManageEngine ServiceDesk Plus | 18 Feb 2019 |
| CVE-2020-0688 | Microsoft Exchange Server | 10 Mar 2020 |
| CVE-2018-15961 | Adobe ColdFusion | 8 Nov 2018 |
The table above contains known vulnerabilities from various products for which security updates have long been available, but which are attacked on unpatched systems. More details can be found at Bleeping Computer.
