These days, it seems like there is a major security breach every week, so it is often with a shrug that we read the headlines of the latest hack: Unless, of course, it impacts us personally. But the recent Microsoft Exchange Server hack was newsworthy, not just for its scope and aftermath (more on that later), but for its use of something called web shells. It’s a fair assumption to say that most people will have never heard of web shell attacks and risk. It is certain with those who don’t work in tech or cybersecurity, but they represent a unique threat, and raising awareness is important.
Before looking at web shells, let’s recap what happened.
What is Microsoft Exchange?
Microsoft Exchange is an email server. It is sometimes referred to as Microsoft’s premium or business-orientated alternative to Outlook, but that is something of an oversimplification. Moreover, the two products can overlap, and it can be confusing at times when Exchange is marketed by Microsoft as Outlook for Business. But it is enough to say that Exchange does offer more tools and enterprise-level solutions. It is widely used by large and medium-sized corporations, whereas Outlook is more common for smaller businesses and individuals.
What Happened with the Exchange Hack?
As mentioned, the Exchange Hack of 2021 was a big event – it even has its own Wikipedia page. The attacks began in January when four zero-day exploits were discovered on Microsoft Exchange Servers. This gave the hackers access to usernames, passwords and other sensitive data from the affected servers. By March, almost a quarter of a million servers were said to be compromised. Also in March, Microsoft released updates to patch the exploits, but it was not fully able to undo the damage or remove the backdoors (more on this below) used by hackers. By late March, still around 8% of servers were compromised. Microsoft claimed that Hafnium, a hacking group said to be backed by the Chinese government, was behind the attack.
Should I be worried about using Microsoft Exchange?
Yes and no. There are always going to be threats to any email application, and Microsoft will surely have learned lessons from the recent attack. But it is also true that companies like Microsoft are vulnerable to attack simply by way of their presence and what they represent (capitalism, globalization, American economic might, Big Tech hegemony, and so on). Microsoft has been hacked many times before, and it will be again. It’s worth saying that there are alternatives to Exchange and Outlook that put security services and privacy features as a top priority. Spike email is one such brand gaining traction as a popular alternative option for businesses. You can even download Spike email app for Android smartphones for personal use.
So, what has this to do with web shells?
We mentioned above that hackers took advantage of four zero-day exploits on Microsoft’s servers. In the simplest terms, that’s a vulnerability in the system – a door into the servers for hackers to exploit. Hackers can do this easily by employing scanning services to search for reports on vulnerabilities, allowing them to pinpoint which servers to attack. The next step is the installation of the web shells. A web shell is a script or piece of code that allows for remote administration. Web shells are not in and of themselves viruses or malware as they can be used legitimately to perform actions remotely. However, they have quickly become part of hackers strategy to gain control of internet-facing* servers – like Microsoft Exchange Servers. A web shell attack, therefore, allows malicious actors to execute commands remotely. These commands can be the downloading of emails, passwords and usernames, for example. The biggest problem with web shells, however, is that they can be very hard to detect.
*It is a common misconception that only internet-facing servers are targeted for web shell attacks. Other systems, like CMS or network device management interfaces, can also be targeted.
Are web shell attacks on the rise?
Yes. Microsoft itself published information in February 2021, showing that web shell attacks almost doubled the average number of monthly attacks web shell between August 2020 and January 2021 compared to a year previously. In Microsoft’s own words, “data shows that this trend not only continued but accelerated.”.
How to protect against web shell attacks?
As we have mentioned above, web shells are post-exploitation tools for hackers. In plain English, they are employed after the initial attack, i.e., the hackers of gained entry into a vulnerable server. The first step, therefore, is to ensure that hackers cannot gain entry in the first place. There are several tools to do this, including WAF (Web Application Firewall) and vulnerability scanners. Other ways to prevent web shell attacks before they happen include:web application updates, file integrity monitoring, installing intrusion prevention systems (IPS), network segregation, blocking access to unused ports and servers. This list is obviously not exhaustive.