Microsoft Says it Detects 77,000 Active Web Shells on a Daily Basis

In a blog post promoting the capabilities of its commercial security platform -- the Microsoft Defender ATP -- Microsoft said that on a daily basis the company's security team detects and tracks on average around 77,000 active web shells, spread across 46,000 infected servers. From a report: But while the Microsoft blog post goes on to promote Defender ATP's industry-recognized detection capabilities, the nugget in Microsoft's recent marketing material is the 77,000 and 46,000 daily statistics. These two numbers are staggering in terms of size, and especially the 77,000 figure, which is far far larger than any previous reports about web shell prevalence. For example, earlier this month GoDaddy's Sucuri reported on cleaning around 3,600 web shells from hacked websites during all last year, in 2019, a number dwarfed by Microsoft's daily detection count. Microsoft's numbers highlight the prevalence of these tools in the today's hackers' arsenals -- where web shells are considered a must for every threat actor, from lowly hacktivist groups defacing websites to state-sponsored cyber-espionage groups.

Web shell?

[ebcdic]

What's that?

Re:

[stanbrown]

My assumption is that it is a way to access a shell prompt (such as bash) from the web on the target machine.

Pretty much. Also, these are Windows

[raymorris]

Pretty much that's it. Basically like a telnet server installed by an attacker.

  Although you don't actually NEED a separate shell (bash, powershell or cmd.exe). The essential job of those shells is to run other programs. The web shell can just run the other programs directly, without invoking cmd.exe.

Why so darn many on Microsoft's cloud vs say Rackspace? Well Microsoft's customers DO tend to run Windows.

Re:

[gbjbaanb]

quite the opposite, Microsoft announced that it was supporting Linux because the split between Linux and Windows being hosted on Azure was something like half Linux - a number that's rising hugely. In 2017 it was 40%, in 2019 it was 50% [zdnet.com], it's probably more than that by now.

They didn't make a massive push to make .net standard and crown jewels like SQL Server run on Linux because everyone of their customers was using Windows.

Re:

[raymorris]

According to your numbers, on Microsoft's cloud half the servers are Windows. On the web in general, there are four times as many CENTOS servers than Windows. Three and half times as many Debian servers thsn Windows.

So yeah, Windows is at least 10X more prevalent on Azure than it is at Rackspace etc.

Re:Web shell?

[Pascoea]

FTA (I know, we don't do that here) under a section titled "What's a web shell?": "They provide a visual interface that hackers can use to interact with the hacked server and its filesystem. Most web shell contain basic functions to rename, copy, move, and even edit or upload new files on a server. They can also be used to change file and directory permissions, or archive and download (steal) data from the server."

Re:

[B'Trey]

FTA (I know, we don't do that here) under a section titled "What's a web shell?": "They provide a visual interface that hackers can use to interact with the hacked server and its filesystem. Most web shell contain basic functions to rename, copy, move, and even edit or upload new files on a server. They can also be used to change file and directory permissions, or archive and download (steal) data from the server."

It's reasonable to criticize people for spouting opinions or comments about the article without reading it. But the point of GPs post was that the summary should make sense and explain esoteric terms, so I can decide if I'm interested enough to RTFA. That's a basic rule of journalism.

Re: Web shell?

[Pascoea]

You have a fair point. That was honestly my first reaction as well, wtf is a web shell?

Re:

[Espectr0]

web shell is when you trick a server to let you upload a shell (where you can type commands and interact with the server) into an image file.

a very basic php misconfiguration can allow this, along with some file upload trickery. if you upload file.jpg.php and it has a valid JFIF header plus you intercept the MIME type when uploading , you might be able to pass a php script as an image file and issue any command

Hmm ... detects and tracks

[fahrbot-bot]

Microsoft Defender ATP -- Microsoft said that on a daily basis the company's security team detects and tracks on average around 77,000 active web shells, spread across 46,000 infected servers.

And, yet, no where in TFS or TFA does it note that they actually do anything about them. How nice.

Re: Hmm ... detects and tracks

[Provocateur]

Yes, That's the puzzling thing in TFS; that it all boils down to bragging points at the bar

Re:

[Pascoea]

You have to get to the referenced blog post: "When alerted of these activities, security operations teams can then use the rich capabilities in Microsoft Defender ATP to investigate and resolve web shell attacks." Per the blog post the 77,000 is the number detected (and theoretically dealt with) via their ATP product.

Re:

[fahrbot-bot]

Thanks!

What is a web shell?

[Malays Bowman]

I thought it was some sort of command prompt, or maybe some kind of container that a web browser ran in (VM?). This is the first time in my life I have ever heard the term "web shell".

Re:

[Anne Thwacks]

I have read the article, and all the comments, and still have not heard of a "web shell".

I am going down to the beach to check the spider crabs.