In a recent incident, Trend Micro™ Managed XDR investigated a web shell intrusion that highlighted the critical need for vigilant monitoring and proactive security measures for web servers. This comprehensive analysis demonstrates how advanced detection tools and thorough investigation can effectively manage and mitigate cyber threats. The incident began when Trend Micro™ Managed XDR’s endpoint sensors detected suspicious activity executed by the Internet Information Services (IIS) worker process (w3wp.exe). The investigation unveiled that the attacker had successfully uploaded a web shell onto an unprotected IIS server. This breach allowed the attacker to persist within the network by creating new accounts and altering existing user passwords. The attack primarily involved an encoded PowerShell command to establish a reverse TCP shell for command-and-control operations, demonstrating a sophisticated threat model.
Initial Detection and Alert
The incident response was promptly triggered by Trend Vision One™, which identified the w3wp.exe process executing a suspicious binary. This behavior indicated potential exploitation of the web server, involving unauthorized activities or a compromised environment. The initial detection played a vital role in unraveling the attacker’s methods and objectives. Upon deeper investigation, it was confirmed that the attackers had established initial access by uploading a web shell to the IIS worker process. Analysis of web server requests revealed POST requests, which led to the web shell’s creation. Initial POST requests to “batchupload.aspx” and “email_settings.aspx” from the IP address 86.48.10[.]109 signaled the commencement of malicious activities, providing crucial insights into the attack’s entry point.
Trend Micro’s team observed that the adversary issued commands through the uploaded web shell, prompting the IIS worker process to spawn further command line and PowerShell activities. This observation was supported by detailed root cause analysis (RCA) provided by Trend Vision One, highlighting the sequence of processes spawned by w3wp.exe, including cmd.exe and powershell.exe. The investigation revealed that these spawned processes were significant as they facilitated the attacker’s goals during this phase, which included comprehensive discovery such as system owner identification, system information gathering, and process, file/directory, and account discovery through tools like whoami, tasklist, systeminfo, and type.
Persistence Mechanisms
To maintain persistence within the compromised environment, the attacker employed several measures. They created a new user account and altered the password for an existing account, ensuring continued access while evading detection. The attacker also renamed the web shell to obscure its presence, masquerading it as a legitimate file. Central to the attacker’s strategy was the utilization of an encoded PowerShell command to establish a reverse TCP shell, enabling command-and-control operations. This reverse shell connected back to a specified IP address, allowing the attacker to execute commands remotely and download additional malicious tools, thereby enhancing their foothold on the compromised server.
Several malicious payloads were identified in the directory C:\Users\Public, indicating extensive adversary activities. These payloads included 0x02.exe, rev.bat, AnyDesk.exe, and ngrok.exe, each downloaded from external sources. The installer for AnyDesk was configured to start automatically with Windows, further enabling remote desktop access for the attacker. This was achieved using the command: “C:\users\public\AnyDesk.exe” –install –start-with-win, highlighting the attacker’s intent to maintain prolonged access and control over the compromised server.
Data Collection and Exfiltration
The attackers employed the 7zip application to archive the web server’s working directory. They executed the command: “cmd.exe” /c E: && cd\azure\azureapps\test.*\ && del /f _x89z7a.zip, effectively removing evidence of data theft. Other files related to payments and transactions were also exfiltrated using similar GET requests through the C&C channel, demonstrating the attackers’ methodical approach to data extraction and their efforts to conceal their activities.
A detailed analysis of the collected files revealed multiple web shells uploaded to the victim host, each with distinct functionalities. Examples include cmd.aspx, cmd2.aspx, and default.aspx, which allowed arbitrary command shell code execution and exposed output to the client. Another variant, 0514_Bills_Payment_Intraday_001102019_114424.aspx, was similar to cmd.aspx but utilized PowerShell for code execution, showcasing the attackers’ preference for versatile and powerful tools. Additionally, 0514_Bills_Payment_Intraday_01012019_054034.aspx potentially allowed arbitrary file management with functions for navigation, creation, editing, deletion, and uploading files, enhancing the attacker’s capabilities for sustained network presence.
Technical Analysis of Malicious Files
The presence of multiple web shells with various capabilities underscores the adaptive nature of the attack. These web shells facilitated extensive command shell access, code execution, and file management on the compromised server. For instance, cmd.asp enabled command line execution through URL parameters and returned results to the sender, while hello.aspx contained only the string “hello,” potentially serving as a test or placeholder. Other scripts like up.aspx and up.html facilitated arbitrary file uploads without content sanitization or validation, potentially allowing the uploading of other malicious scripts. The 0x02.exe executable required specific arguments and VC runtime DLLs to function properly, enabling remote code execution (RCE) through RPC and named pipes, indicating the attacker’s advanced level of threat aimed at privilege escalation and persistence via impersonation and security descriptor manipulation.
These findings provided key insights into the attackers’ intent and sophistication, highlighting the complex and multi-faceted nature of modern cyber threats. As the investigation concluded, Trend Micro Managed XDR ensured that the affected server environment was thoroughly analyzed, and necessary remediation measures were implemented to prevent future breaches.
Resolution and Recommendations
Upon discovering additional malicious payloads, the affected endpoint was promptly isolated to prevent further spread and potential damage. The Managed XDR team collected these payloads for analysis and ensured that enhanced detection mechanisms were in place. Remote collection of additional server logs facilitated a thorough investigation into related activities, providing comprehensive insights into the attack timeline and methodologies. Based on the investigation’s findings, the team identified the source of the web shell upload as unrestricted file uploads in the server configuration. Immediate recommendations included disabling the vulnerable pages until proper file validation and authorization controls were established. It was also advised to install a robust security agent (Endpoint Protection Platform) to detect such threats upon arrival, further strengthening the server’s defenses.
An incident report detailing the analysis, findings, and recommendations was shared with the affected customer. This report served as a reference for understanding the impact and prioritizing necessary security measures. Emphasizing the importance of proactive measures, Trend Micro provided tailored recommendations to safeguard against similar threats. Key recommendations included implementing input validation and sanitization for all web inputs to prevent injection attacks, ensuring strong authentication processes, and limiting access to sensitive endpoints to authorized users. Regular patching of all systems and applications, especially critical components like web frameworks and server software, was strongly advised. Additionally, ensuring proper configuration of security products like endpoint detection and firewalls was crucial for maintaining defense against emerging threats.
Trend Micro Threat Intelligence offers a suite of intelligence reports and threat insights, empowering customers with comprehensive information on threat actors, their tactics, and operational techniques. This intelligence enables organizations to proactively protect their environments and respond effectively to threats, improving overall cybersecurity resilience.
Conclusion
The web shell intrusion case investigated by Trend Micro Managed XDR exemplified the intricate and adaptive nature of contemporary cyber threats. Through meticulous investigation and coordinated response, the threat was contained, and insightful observations were derived to bolster future defenses. The importance of maintaining updated security practices, rigorous monitoring, and rapid incident response cannot be overstated in the ongoing battle against cyber adversaries. This incident serves as a compelling reminder of the evolving complexity in web server security and the necessity for continuous vigilance and agility in cybersecurity practices.
Ultimately, safeguarding digital environments requires a proactive and informed approach, leveraging advanced threat intelligence, robust security configurations, and continuous education on emerging threat landscapes. By staying vigilant and implementing recommended security measures, organizations can better protect themselves from inevitable cyber threats and maintain secure operational environments.
