Cyber Threats
Understanding the Initial Stages of Web Shell and VPN Threats: An MXDR Analysis
While cyberattacks that employ web shells and VPN compromise are not particularly novel, they are still prevalent. The recent incidents that Trend Micro MXDR analyzed highlight the importance of behavioral analysis and anomaly detection in security measures.
Key insights and takeaways:
- Attackers are increasingly using a layered fallback strategy by deploying multiple tools, such as web shells, tunneling software, and remote access applications.
- Trend Micro MXDR analysis reveal the threats’ multistep approach to ensure they maintain access even if one entry point is detected and blocked.
- Web shells give attackers interactive access to compromised servers, allowing them to conduct malicious activities while also enabling them to adapt their tactics quickly.
- By compromising VPN accounts, attackers can blend into the network. They avoid detection by masquerading malware and malicious activities as legitimate-looking processes.
- With MXDR and digital forensics and incident response capabilities, companies can have the actionable threat intelligence that could help their cybersecurity team detect early signs of compromise, proactively identify abnormal behaviors, and better initiate containment and recovery.
Today’s evolving cyberthreats demand constant vigilance from organizations. Take for example two notable cybersecurity incidents we’ve observed, using novel twists on well-known techniques: a web shell attack and a VPN compromise. By scrutinizing their logs in Vision One during our containment and subsequent analysis of the incidents, we could unravel how these threats originated and escalated as well as what their next moves could have been.
From our own managed extended detection and response (MXDR) team, we break down these incidents and provide insights that can help improve the cybersecurity and incident response strategies of other organizations.
MXDR case 1: A persistent web shell attack
Web servers, often publicly accessible, are common targets for attackers looking to exploit vulnerabilities, misconfigurations, or unpatched software. Once compromised, they can be used to install malware, steal data, or launch further attacks such as cyberespionage.
One common method used to compromise web servers is by deploying malicious web shells. These malicious tools can be placed on a public-facing server by exploiting vulnerabilities or abusing file upload functions. Once the malicious web shell is installed, it creates an entry point for remotely executing commands. These include installing malware, launching additional attacks, stealing data, or using the server as a springboard to target other machines on the network.
In this incident, we’ve observed the following attack chain:
Initial access: The threat actor uploaded the web shell file in the server, which would later deploy a command via Internet Information Services IIS worker (w3wp.exe). An earlier upload of the web shell was found, but the threat did not proceed with the malicious activities at the time. Due to insufficient logs, we were unable to ascertain how these files were uploaded.
Execution: The files were introduced in the system under the IIS worker and were executed using cmd.exe.
Persistence: The threat actor created a local admin account. While the account was not used during the incident, there is evidence to assume that it would be used at a later time if not caught. Additionally, the threat also introduced a potential tunneling software named lcx5qm.jpg to allow access via Remote Desktop Protocol (RDP) from an external IP.
Privilege escalation: The commands were run within the w3wp.exe instance, which operates with the same permissions as the process. Furthermore, a local admin account was created, which can be utilized for executing actions that require those privileges. A tool named zxin.jpg was dropped where the commands executed to it was ran under C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon, escalating its privileges.
Defense evasion: Several binary files dropped by the threat ended with file extension such as .jpg, typically done to appear as a benign file.
Discovery: Commands were executed using utilities built into Windows (e.g., set, reg.exe, whoami) to gather information regarding the host.
Command and control (C&C): In one of the executed files, evidence of a potential C&C server has been detected. The IP address 45[.]154[.]12 [.]246 was found within the arguments of the executed file lcx5qm.jpg. Another tool — fff.txt — was also introduced by the threat, which is a reverse proxy tool and was seen initiating outbound traffic toward 111[.]223 [.]247 [.]193.
MXDR case 2: VPN compromise leading to lateral movement
A VPN account compromise occurs when a malicious actor gains access to a VPN account through methods such as phishing, exploiting vulnerabilities, or obtaining weak login credentials. Once inside, the attacker can perform malicious activities using the compromised account, allowing them to blend into the network and evade security defenses. Depending on the level of access, they could move laterally to high-value systems and deploy additional payloads, such as ransomware.
In the incident we analyzed, we observed the following attack chain:
Initial access: Early activities showed login from a VPN IP originating from a workstation that conforms with the environment-naming convention of hosts. This might have helped the attacker blend in and avoid raising immediate suspicion.
Execution: The execution of Anydesk.exe, a third-party remote desktop application, on multiple hosts and usage of net.exe (a bult-in command utility in Windows used for network administration tasks) was observed.
Persistence: The threat actor deployed AnyDesk on the environment and created user accounts. Aside from AnyDesk, compromised accounts being added to the “Remote Desktop Users” group was also observed. This is to have remote desktop access on the environment.
Privilege escalation: The usage of the “net” command was observed in the environment that created new user accounts.
Trend Micro Deep Discovery Inspector (DDI) also detected network activity related to Impacket’s SECRETSDUMP and WMIEXECPY, which are normally used to harvest password hashes of both local and domain accounts with the intention to elevate the access to the environment. Attempts to exploit CVE-2020-1472, also known as the Zerologon privilege escalation vulnerability, were also observed in the host, but was not successful.
Defense evasion: The threat abused legitimate tools, such as anydesk.exe, to further strengthen its foothold in the environment. The threat also masquerading the tools by dropping them in the directories named “programdata” and “systemtest”.
Credential access: There are activities that corroborate the use of Impacket’s SECRETSDUMP and WMIEXECPY to harvest password hashes of both local and domain accounts.
Discovery: The threat used the tool netapp.exe, which is a copy of netscan.exe, to initiate the discovery of remote systems in the environment. The DDI logs also showed port scan activities focusing on ports 80, 139, 443, and 445.
Lateral movement: Using the compromised accounts, RDP was utilized by the threat to move in other endpoints. Additionally, WMIExec was used to remotely execute commands.
C&C: The misuse of Anydesk.exe was possibly for establishing command and control over the environment using compromised hosts.
Key attack patterns and takeaways: Protecting against threats with a layered fallback strategy
In both incidents, a major pain point was the lack of application logs (i.e., VPN and IIS logs). These logs are crucial, as they help in understanding how the threat entered and allow for more accurate security recommendations. Regular security audits also help identify signs of the threat’s fallback mechanisms, such as unauthorized remote access or unusual tunneling activity.
Digital forensics and incident response (DFIR) analysis of both the incidents revealed critical insights into how attackers adapt and persist in networks. It’s a reminder that simply blocking one entry point isn’t enough. Organizations should ensure that logs are properly audited – this sounds easy, but is sometimes overlooked.
A proactive cybersecurity strategy also involves comprehensive incident response planning. For example, identifying unusual process behavior (like a web server launching cmd.exe) or detecting unexpected VPN logins can serve as early indicators of compromise. Proactive DFIR not only aids in containment and recovery but also provides actionable intelligence to reinforce defenses. Capturing these threats early is crucial to prevent worst-case scenarios, such as the deployment of ransomware via web shells, as seen in similar attacks. In another incident, ransomware was deployed after a short dwell time following unauthorized access to a publicly exposed RDP host.
Security considerations and recommendations
Implementing layered security, well-crafted incident response plans, and employee training is essential. Insights from DFIR analysis can help shape these strategies and improve the organizations’ preparedness against evolving threats.
For web shell threats:
Ensure proper input validation and sanitization. To prevent web shell attacks through code injection, implement strong input validation and sanitization in your web applications. Allow only specific characters, data formats, or ranges of values for input fields, filtering out any potentially dangerous code. Use server-side validation to block malicious scripts or commands that attackers might attempt to inject. Additionally, adopt secure coding practices and libraries or frameworks that guard against cross-site scripting (XSS), SQL injection, and other forms of injection attacks. Keep in mind that client-side validation alone is not sufficient, as attackers can easily bypass it.
Segment the network to limit lateral movement. Isolating web servers from the internal network minimizes interaction with sensitive internal assets and hinders attackers from moving laterally after a compromise. Use firewalls and access control lists (ACLs) to enforce strict communication rules between the web server network and internal network. Additionally, monitor traffic between these segments using intrusion detection systems (IDS) or intrusion prevention systems (IPS) to detect and respond to abnormal activity that might indicate an attempted breach.
Keep the web application updated. Regularly apply security patches and updates to the IIS server, web applications, and any third-party plugins or modules. Outdated software is one of the most common vectors for web shell attacks, as attackers often exploit known vulnerabilities. Establish a routine patch management process to ensure that security fixes are promptly applied. In cases where immediate patching is not possible, consider using virtual patching solutions to provide temporary protection against known exploits.
Restrict access and permissions on the IIS server. Implement strict access controls to limit who can modify files, directories, and server settings. Follow the principle of least privilege by granting only the necessary permissions to users and applications. For example, ensure that the IIS worker process (w3wp.exe) does not have write access to directories that could be used to deploy web shells. Use proper file system permissions and role-based access control to restrict modification capabilities. Regularly review and audit these permissions to identify and fix any potential misconfigurations that attackers might exploit.
Use a web application firewall (WAF) to filter traffic. Deploy a WAF in front of web servers to monitor and filter incoming HTTP/S traffic. A WAF can block known attack patterns, such as attempts to upload web shells, and filter out malicious requests. Configure the WAF with rulesets tailored to the company’s applications and server environment. Enable logging and set up alerts for suspicious activities, like repeated file upload attempts or requests containing potentially malicious code. This proactive monitoring can quickly identify and mitigate threats before they escalate.
Disable unnecessary services and ports. Regularly review the web server configuration and disable any services, features, or ports that are not required for the application. For example, if the application does not use FTP, disable the FTP service on the IIS server. Reducing the number of running services minimizes the attack surface, limiting potential entry points for attackers. Additionally, periodically scan the servers for open ports to identify and close unnecessary ports that could be exploited to deploy web shells.
For VPN compromise:
Reset credentials immediately. If a VPN account compromise is suspected, reset the credentials right away. Enforce a strong password policy. Where possible, implement multifactor authentication (MFA) for VPN access to add an extra layer of protection and reduce the risk of attackers regaining access using stolen credentials.
Monitor unusual account activities. Continuously monitor VPN usage for signs of compromise. Look for red flags like logins from unexpected locations, access outside normal working hours, or multiple failed login attempts. Pay attention to the sudden use or download of legitimate tools that attackers could abuse for malicious purposes, such as remote access software or network discovery tools. Collect and analyze data that could help flag suspicious behavior for further investigation.
For fortifying cybersecurity defenses:
Enforce least privilege and system hardening. Always assign applications the minimum permissions they need to operate. Overly permissive roles, such as granting an application administrator-level privileges, open the door for attackers to exploit these roles for deeper system access. System hardening should include disabling unnecessary services, blocking access to sensitive system files, securing registry settings, and ensuring proper file permissions to prevent unauthorized modifications. Regularly audit permissions and configurations to identify and correct potential vulnerabilities.
Enable regular auditing and detailed logging. Activate comprehensive logging on the web server, including HTTP access logs, event logs, and error logs, to monitor server interactions. For IIS servers, configure features like to capture critical data, such as IP addresses, request headers, timestamps, and HTTP status codes. Implement centralized logging by forwarding logs to an MXDR solution for monitoring and correlation analysis. Ensure logs are stored securely with appropriate retention policies for post-incident analysis. Regularly audit these logs to identify abnormal behavior, including repeated failed login attempts, unauthorized access to critical directories, or unusual HTTP methods.
Maintain a robust patch management process. Ensure all applications, including the IIS server, web frameworks, and plugins are consistently updated with the latest security patches. Include a testing phase to validate that patches do not introduce new vulnerabilities or disrupt services. If immediate patching isn't feasible, consider virtual patching to block known exploits temporarily. Maintain an up-to-date inventory of all software versions running on the server to quickly identify components requiring patches.
Implement strong authentication. Employ MFA to secure access to the IIS server. Avoid using weak or default passwords and enforce a strict password policy. Implement account lockout mechanisms to prevent brute-force attacks. Restrict server access to known, trusted IP addresses or network segments. Monitor authentication logs for signs of anomalous login activities, such as logins from unexpected locations or attempts to bypass MFA.
Trend Micro provides comprehensive protection against these threats. Trend Cloud One™ provides application control, integrity monitoring, and intrusion prevention, which protect server environments by preventing unauthorized applications from running, monitoring system integrity for unexpected changes, and detecting suspicious network traffic. These layers of defense are critical for mitigating risks posed by web shells and VPN compromise.
Indicators of Compromise
The full list of IOCs can be found here