In the past few days, the hacker group Hafnium and an attack series on Microsoft Exchange Server have made headlines.The Zero-Day weak spots used by Hafnium enabled attackers, among other things
Access to the Exchange server without specifying a password
Righting expansion up to the maximum rights as a system
The possibility to write files to any places on the Exchange server
The zero-day gaps have been patched up, but the threat situation remains great-which is among other things due to the much-quoted webshells.Exactly that web -based interface plays a crucial role for many cyber attacks to perform files and commands that have been introduced into compromised systems. Die Platzierung der Webshells gestaltete sich für Hafnium & Co.Particularly easy in the current case, since numerous Exchange systems were accessible due to the security gap without a password.
Of course, many hackers use such vulnerabilities in a very “traditional” manner by loading malware into the more compressed systems that, at a later date, by the user or zip or z.B.is started by a reboot.While traditional malware only has a limited extent of functions, there is a more flexible alternative for the attack on a network.And here the Shells come into play - first without the "web" before.
By default, scripting languages, the programming languages for smaller programs, a so-called "Shell", often use as a "READ-EVALUATE-Print-Loop" use.Instead of executing an existing program directly, a replenic typically creates an input request and only starts when the user gives the corresponding command.This process is automatically repeated with potentially new commands that relate to the previous results.Among other things, programmers, or hackers, can do interactively, process the results directly, execute new programs in memory or create files.With a replacement or a shell, programming work can be designed in the current process and the users are not dependent on a rigid program that was created in advance.If hackers are now able to implement such a shell on a remote computer and to feed them with individual command lines, a very simple remote shell is available, which guarantees a lot of programming freedom, since it is not restricted by predefined program functions.Such a tool is the sky on earth for hackers, since they can now act flexibly in the compromised system and are not dependent on special malware.
So if hackers place such an ASP extension in the right place on a Windows Web Sever, you can activate the files at any later time by contacting the URL that is connected to the infiltrated file.The server therefore acts as a "command console" for the hacker attack.In addition, ASP-capable script programs, such as VBScript, can not only be activated from a distance, but additional parameters can also be inserted at the end of a URL.As a result, the script can be changed by the browser every time the browser is called - the webshell, which is not only limited specific commands, can be done, but can also be individually expanded.This means that Hackern is available to a small but common expansion on a web server that executes commands directly and without the need for a log-in.
This means that the attacker can interactively carry out the target server commands or programs through the browser alone, analyze the expenditure and carry out further actions based on this - as if the attackers are sitting on the system console.By the possibility of expanding their rights as a system, the attackers in the Hafnium case can not only switch and act on the affected system, but partly in the entire network as they wanted.
Tip: If you want to find out more about the topic of webshells, you can do this in a detailed contribution from the “Serious Security” series with the colleagues of Naked Security: https: // Nakedsecurity.Sophos.COM/2021/09/Serious Security-Webshells-Explained-in-the-ATHE-ATHETMATH-HABERIUM-TACKS/