Backdoor: NSA and ASD warn of vulnerabilities

[German]The US secret service NSA and the Australian secret service have issued a joint warning. Hackers are increasingly trying to exploit unpatched vulnerabilities in products to infiltrate systems via web shell malware.


The following tweet links to a corresponding document of the NSA/CSS, which warns against cyber attacks on known vulnerabilities.

Bleeping Computer writes here,  that the Australian Signals Directorate (ASD) also issues this common warning. In a joint report, NSA and ASD warn of cyber attacks that exploit increasingly vulnerable web servers to use web shells. “Malicious cyber-actors are increasingly using web shells to gain or maintain access to victims’ systems,” writes NSA.

Web shells as a backdoor

Web shells are malicious tools that hackers can use on a compromised internal or Internet-exposed server to gain and maintain access. Web shells also allow remote execution of arbitrary commands, deliver additional malware payloads, and access other devices within a network.

Web shells can be uploaded in a variety of forms to vulnerable servers. This ranges from programs designed specifically to provide Web shell functionality, to Perl, Ruby, Python, and Unix shell scripts, to application plug-ins, and to PHP and ASP code snippets that are inserted into the pages of a Web application.


Detect and block

The 17-page security guide published by the two secret services contains a wealth of information for security teams. This ranges from the detection of hidden web shells to the reaction and elimination of detected infections. It also lists the exploited vulnerabilities.

Vulnerability Identifier Affected Application Reported
CVE-2019-0604 Microsoft SharePoint 15 May 2019
CVE-2019-19781 Citrix Gateway, Citrix Application Delivery Controller, and Citrix SD-WAN WANOP appliances 22 Jan 2020
CVE-2019-3396 Atlassian Confluence Server 20 May 2019
CVE-2019-3398 Atlassian Confluence Server and Atlassian Confluence Data Center 26 Nov 2019
CVE-2019-9978 WordPress “Social Warfare” Plugin 22 Apr 2019
Progress Telerik UI 7 Feb 2019
CVE-2019-11580 Atlassian Crowd and Crowd Data Center 15 July 2019
CVE-2020-10189 Zoho ManageEngine Desktop Central 6 Mar 2020
CVE-2019-8394 Zoho ManageEngine ServiceDesk Plus 18 Feb 2019
CVE-2020-0688 Microsoft Exchange Server 10 Mar 2020
CVE-2018-15961 Adobe ColdFusion 8 Nov 2018

The table above contains known vulnerabilities from various products for which security updates have long been available, but which are attacked on unpatched systems. More details can be found at Bleeping Computer.


This entry was posted in Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *