Exploiting a zero-day vulnerability in MOVEit Transfer, the criminals deployed web shells to vulnerable file transfer servers and gained access to a variety of high-profile organizations. More than a week after the remediation instructions were published, Netcraft discovered that web shells are still present on servers associated with energy, healthcare, and financial companies.
Web shells are control panels used by criminals to exfiltrate data from compromised servers, execute exploits, and maintain remote access, often persisting long after the original vulnerability has been fixed.
Using zero-day vulnerabilities to install web shells is not a new tactic. We previously reported on web shells installed via the Microsoft Exchange ProxyLogon and ProxyShell vulnerabilities in 2021. Two years later, Netcraft continues to detect new web shell installations on still-vulnerable Microsoft Exchange servers.
Earlier this week, we confirmed the presence of web shells on servers belonging to several companies, including two energy companies and a large state-chartered credit union. This blog post explains what we found and why web shells remain a key component of the cybercriminals’ toolbox.
Investigation into the MOVEit hack
Following previous Internet scans, Netcraft polled approximately 1,000 Internet-visible web servers running MOVEit Transfer for the presence of web shells using the observed human2.aspx file name.
Affected servers can be identified by a fake 404 Not Found error page used by the web shell. Without the correct password, the human2 web shell returns a non-default 404 page with different HTML content.
Using this technique, we confirmed the presence of web shells on hostnames belonging to various companies, almost certainly located there via the MOVEit vulnerability. Netcraft detected web shells installed via the Microsoft Exchange ProxyLogon and ProxyShell vulnerabilities using a similar technique.
Many of the affected companies are based in the US, but we also detected cases in Canada, Oman and the Philippines. Affected businesses include those in the energy, healthcare and finance industries. Due to the large amount of sensitive customer data and their position in supply chains, they can represent attractive targets for ransomware.
Netcraft has notified the affected companies, and as of this writing, most of the detected web shells are no longer accessible.
What are web shells? And why are they so dangerous?
Web shells are the ‘Criminal’s Control Panel’, enabling a variety of cyber attacks using compromised servers. Criminals can send spam emails, leak data for sale or a ransomware attack, and use the server to host other malicious content. For about a quarter of the web shells Netcraft encounters, we also found other forms of cybercrime on the same server, including phishing, website defacement, cryptocurrency investment scams, and malware.
Web shells can be designed with different purposes in mind, and criminals often install multiple shells on a compromised server to perform different tasks. For example, the use of “mailers” to send emails as part of a phishing campaign is particularly prevalent: Netcraft has identified web shell mailers being used to send phishing emails posing as over a hundred brands in the last three years. months.
Web shells are also used as a method to sell persistent administrative access to a compromised server. Initial access brokers operate marketplace websites where users can buy or sell remote access. These listings include anonymous information about the server, including the hosting provider, operating system, and even SEO statistics.
Removing the malicious content or patching the vulnerable service means that an attacker can simply regain access to the site and redeploy the content. Long after the underlying vulnerability has been patched, web shells allow continued administrative access to the server.
How can Netcraft help?
Netcraft has been detecting and disrupting web shells since 2016, as part of our cybercrime detection, disruption, and removal platform. In that time, we’ve taken down half a million web shells. In the last 3 months alone, we have detected over 155,000 web shells on over 27,500 different IP addresses and 40,000 different host names.
Since web shells are closely associated with other types of cybercrime, removing linked web shells by eliminating phishing, scams, and malware impersonating a legitimate organization removes the tools available to cybercriminals and makes it more difficult to future attacks from the same infrastructure.
Hosting and network providers can also use the Netcraft platform to receive threat data that will notify them whenever web shells (or other malware or phishing activity) are detected on their infrastructure. Access to timely and validated alerts of cyberattacks deployed through their infrastructure can help registrars and hosting companies preserve their network integrity and brand reputation.