Understanding the Initial Stages of Web Shell and VPN Threats: An MXDR Analysis

In both incidents, a major pain point was the lack of application logs (i.e., VPN and IIS logs). These logs are crucial, as they help in understanding how the threat entered and allow for more accurate security recommendations. Regular security audits also help identify signs of the threat’s fallback mechanisms, such as unauthorized remote access or unusual tunneling activity.

Digital forensics and incident response (DFIR) analysis of both the incidents revealed critical insights into how attackers adapt and persist in networks. It’s a reminder that simply blocking one entry point isn’t enough. Organizations should ensure that logs are properly audited – this sounds easy, but is sometimes overlooked.

A proactive cybersecurity strategy also involves comprehensive incident response planning. For example, identifying unusual process behavior (like a web server launching cmd.exe) or detecting unexpected VPN logins can serve as early indicators of compromise. Proactive DFIR not only aids in containment and recovery but also provides actionable intelligence to reinforce defenses. Capturing these threats early is crucial to prevent worst-case scenarios, such as the deployment of ransomware via web shells, as seen in similar attacks. In another incident, ransomware was deployed after a short dwell time following unauthorized access to a publicly exposed RDP host.

Implementing layered security, well-crafted incident response plans, and employee training is essential. Insights from DFIR analysis can help shape these strategies and improve the organizations’ preparedness against evolving threats. 

For web shell threats:

Ensure proper input validation and sanitization. To prevent web shell attacks through code injection, implement strong input validation and sanitization in your web applications. Allow only specific characters, data formats, or ranges of values for input fields, filtering out any potentially dangerous code. Use server-side validation to block malicious scripts or commands that attackers might attempt to inject. Additionally, adopt secure coding practices and libraries or frameworks that guard against cross-site scripting (XSS), SQL injection, and other forms of injection attacks. Keep in mind that client-side validation alone is not sufficient, as attackers can easily bypass it.

Segment the network to limit lateral movement. Isolating web servers from the internal network minimizes interaction with sensitive internal assets and hinders attackers from moving laterally after a compromise. Use firewalls and access control lists (ACLs) to enforce strict communication rules between the web server network and internal network. Additionally, monitor traffic between these segments using intrusion detection systems (IDS) or intrusion prevention systems (IPS) to detect and respond to abnormal activity that might indicate an attempted breach.

Keep the web application updated. Regularly apply security patches and updates to the IIS server, web applications, and any third-party plugins or modules. Outdated software is one of the most common vectors for web shell attacks, as attackers often exploit known vulnerabilities. Establish a routine patch management process to ensure that security fixes are promptly applied. In cases where immediate patching is not possible, consider using virtual patching solutions to provide temporary protection against known exploits.

Restrict access and permissions on the IIS server. Implement strict access controls to limit who can modify files, directories, and server settings. Follow the principle of least privilege by granting only the necessary permissions to users and applications. For example, ensure that the IIS worker process (w3wp.exe) does not have write access to directories that could be used to deploy web shells. Use proper file system permissions and role-based access control to restrict modification capabilities. Regularly review and audit these permissions to identify and fix any potential misconfigurations that attackers might exploit.

Use a web application firewall (WAF) to filter traffic. Deploy a WAF in front of web servers to monitor and filter incoming HTTP/S traffic. A WAF can block known attack patterns, such as attempts to upload web shells, and filter out malicious requests. Configure the WAF with rulesets tailored to the company’s applications and server environment. Enable logging and set up alerts for suspicious activities, like repeated file upload attempts or requests containing potentially malicious code. This proactive monitoring can quickly identify and mitigate threats before they escalate.

Disable unnecessary services and ports. Regularly review the web server configuration and disable any services, features, or ports that are not required for the application. For example, if the application does not use FTP, disable the FTP service on the IIS server. Reducing the number of running services minimizes the attack surface, limiting potential entry points for attackers. Additionally, periodically scan the servers for open ports to identify and close unnecessary ports that could be exploited to deploy web shells.

For VPN compromise:

Reset credentials immediately. If a VPN account compromise is suspected, reset the credentials right away. Enforce a strong password policy. Where possible, implement multifactor authentication (MFA) for VPN access to add an extra layer of protection and reduce the risk of attackers regaining access using stolen credentials.

Monitor unusual account activities. Continuously monitor VPN usage for signs of compromise. Look for red flags like logins from unexpected locations, access outside normal working hours, or multiple failed login attempts. Pay attention to the sudden use or download of legitimate tools that attackers could abuse for malicious purposes, such as remote access software or network discovery tools. Collect and analyze data that could help flag suspicious behavior for further investigation.

For fortifying cybersecurity defenses:

Enforce least privilege and system hardening. Always assign applications the minimum permissions they need to operate. Overly permissive roles, such as granting an application administrator-level privileges, open the door for attackers to exploit these roles for deeper system access. System hardening should include disabling unnecessary services, blocking access to sensitive system files, securing registry settings, and ensuring proper file permissions to prevent unauthorized modifications. Regularly audit permissions and configurations to identify and correct potential vulnerabilities.

Enable regular auditing and detailed logging. Activate comprehensive logging on the web server, including HTTP access logs, event logs, and error logs, to monitor server interactions. For IIS servers, configure features like to capture critical data, such as IP addresses, request headers, timestamps, and HTTP status codes. Implement centralized logging by forwarding logs to an MXDR solution for monitoring and correlation analysis. Ensure logs are stored securely with appropriate retention policies for post-incident analysis. Regularly audit these logs to identify abnormal behavior, including repeated failed login attempts, unauthorized access to critical directories, or unusual HTTP methods.

Maintain a robust patch management process. Ensure all applications, including the IIS server, web frameworks, and plugins are consistently updated with the latest security patches. Include a testing phase to validate that patches do not introduce new vulnerabilities or disrupt services. If immediate patching isn’t feasible, consider virtual patching to block known exploits temporarily. Maintain an up-to-date inventory of all software versions running on the server to quickly identify components requiring patches.

Implement strong authentication. Employ MFA to secure access to the IIS server. Avoid using weak or default passwords and enforce a strict password policy. Implement account lockout mechanisms to prevent brute-force attacks. Restrict server access to known, trusted IP addresses or network segments. Monitor authentication logs for signs of anomalous login activities, such as logins from unexpected locations or attempts to bypass MFA.

Trend Micro provides comprehensive protection against these threats. Trend Cloud One™ provides application control, integrity monitoring, and intrusion prevention, which protect server environments by preventing unauthorized applications from running, monitoring system integrity for unexpected changes, and detecting suspicious network traffic. These layers of defense are critical for mitigating risks posed by web shells and VPN compromise.

Indicators of Compromise

The full list of IOCs can be found here

Read More HERE