Microsoft DART team tracks 77k active web shells

In a blog post promoting the capabilities of its commercial security platform, Microsoft said that on a daily basis the company's security team detects and tracks on average around 77,000 active web shells, spread across 46,000 infected servers.

According to ZDNet, these numbers are staggering, since the 77,000 figure is far larger than any previous reports about web shell prevalence. For example, earlier this month GoDaddy's Sucuri reported on cleaning around 3,600 web shells from hacked websites during 2019, a number dwarfed by Microsoft's daily detection count.

A web-shell is a malicious script used by an attacker with the intent to escalate and maintain persistent access on an already compromised web application.

According to ZDNet, these numbers are staggering, since the 77,000 figure is far larger than any previous reports about web shell prevalence. For example, earlier this month GoDaddy's Sucuri reported on cleaning around 3,600 web shells from hacked websites during 2019, a number dwarfed by Microsoft's daily detection count.

Ilia Kolochenko, Founder & CEO of web security company ImmuniWeb, Master of Legal Studies (WASHU) & MS Criminal Justice and Cybercrime Investigation (BU), comments: 

"Web shells have existed for over a decade already. Today, many cyber gangs automate intrusion and web shell installation on vulnerable websites. Often, they harvest successfully deployed web shells in a few days or even weeks after launching the attack. Unless some obfuscation of code is used, a web shell can be easily located by various security software."

"Usually, once a web shell is uploaded, it is fairly simple to root the server by exploiting unpatched vulnerabilities or its insecure configuration. Detection of web shells is a fairly routine operation, moreover, such attacks are usually attributable to junior hackers unskilled or careless enough to upload a web shell without obfuscation and proper removal after backdooring the server."