Attacks on Web Applications Spike in Third Quarter, New Talos IR Data Shows

Cyber Security Threat Summary:
There was a notable increase in threats to web applications, accounting for 30 percent of the engagements Cisco Talos Incident Response (Talos IR) responded to in the third quarter of 2023, compared to 8 percent the previous quarter. Exploitation of public-facing applications was the top observed means of gaining initial access, accounting for 30 percent of engagements. The high number of web application attacks likely played a significant role in the increase this quarter” (Cisco Talos, 2023).

Threat actors have increasingly targeted web applications, using techniques such as launching web injection attacks, deploying web shells, and using commercial off-the-shelf tools to maintain persistence on a victims network. Cisco Talos says one factor for the increase is that various command and control (C2) frameworks now “feature tools to identify weaknesses in web servers to deploy web shells more easily”.

“Supershell is a web-based management platform that allows attackers to remotely execute commands, manage compromised systems, and collaborate with multiple users. Before downloading Supershell, the attackers placed malicious XML inputs containing a reference to an external entity using XML external entity (XXE) injection attacks in hopes the web server had a misconfigured XML parser. Based on our analysis, Supershell appears to be designed for predominantly Chinese-speaking individuals as the tool is written for a Chinese-only web interface console. There is also a clear preference for Chinese in Supershell’s GitHub documentation, although an English-translated option exists” (Cisco Talos, 2023).

While sophisticated adversaries have often leveraged web shells in attacks, these new frameworks have reduced the barrier of entry for less sophisticated adversaries. The list of commercial off-the-shelf C2 frameworks continues to grow, and will likely continue as adversaries adopt additional capabilities for performing web-based attacks.

Security Officer Comments:
Web shells are used by threat actors to compromise web-based servers that are exposed to the Internet. In some cases, threat actors may chain several of these shells together to extend their capabilities. Talos says in one case they saw a threat actor uploading several PHP web shells to an unpatched web server. They also saw threat actors abuse Structured Query Language Injection (SQLi) attacks. This technique allows adversaries to enter SQL commands into a field that does not require validation or sanitization. Several scanning frameworks will look for vulnerable fields that can be used to launch SQLi attacks.

Suggested Correction(s):
Cisco notes that many of these threat actors were barred from completing any post-compromise objectives due to the presence of a Web Application Firewall (WAF). Cisco recommends organizations to implement a WAF between their public-facing servers and the Internet to help defend against these attacks.