Image: Microsoft
Microsoft says the number of malicious webcams installed on web servers has nearly doubled since the last count, last year in August 2020.
The Redmond company said in a blog post yesterday that between August 2020 and January 2021, it detects about 140,000 webcaps per month, compared to the average of 77,000 it reported last year.
The number has increased due to a shift in how hackers view webcams. Once considered a thesis tool that damages websites and the go-to tool of DDoS botnet operators, web shells are now part of the arsenal of loose money gangs and hackers of a nation state, and are important tools used in complex intrusions.
Two of the reasons why they have become so popular is the versatility and access they offer to hacked servers.
Web shells, which are nothing more than simple scripts, can be written in almost any programming language operating on a web server – such as PHP, ASP, JSP or JS – and so, can be easily hidden in the source code of a website. This makes the detection of them a difficult operation, which often involves manual analysis of a human operator.
In addition, webcams provide hackers with an easy way to execute commands on a hacked server via a graphical or command-line interface, providing attackers with an easy way to escalate attacks.
Web disputes become more common as more servers are placed online
As the corporate IT space has moved towards hybrid cloud environments, the number of companies managing web servers has increased over the past few years, and in many cases publicly confronted servers often have direct connections to internal networks.
As Microsoft’s statistics show, attackers also seem to have noticed this change in the composition of corporate IT networks, increasing their attacks on systems that point to the public.
Web shells now play an important role in their attacks, providing a way to control the hacked server and then orchestrate a pivot point to a target’s internal network.
These types of attacks are exactly what the US National Security Agency warned of in April 2020 when it published a list of 25 vulnerabilities often used to install web shells.
The NSA report warned not only about web shells being used on public systems, but also about their use in internal networks, where they are used as a proxy to jump to non-public systems.
Microsoft is urging companies to re-prioritize their approach to dealing with web scams, which is slowly becoming one of the biggest security threats today. As ways to keep networks secure, the OS manufacturer recommends some basic actions:
- Launch public systems, as most webcaps are installed after attackers exploit unspecified vulnerabilities.
- Extend antivirus protections to web servers, not just employee workstations.
- Network segmentation to limit the damage of an infected server to a small variety of systems and not the entire network.
- Regularly check and review logs from web servers, especially for publicly targeted systems, which are more vulnerable to scans and attacks.
- Practice good faith hygiene. Restrict the use of accounts with local or domain admin level rights.
- Check your perimeter firewall and proxy to restrict unnecessary access to services, including access to services through non-standard ports.