CP
cyberpings
Malware & RansomwareHIGH

PHP Web Shells - Microsoft Reveals Cookie-Controlled Threats

Featured image for PHP Web Shells - Microsoft Reveals Cookie-Controlled Threats
THThe Hacker News
PHPLinuxWeb ShellRemote Code ExecutionMicrosoft Defender
🎯

Basically, hackers are using cookies to secretly control malicious scripts on Linux servers.

Quick Summary

Microsoft reveals a new threat where PHP web shells use cookies for remote code execution on Linux servers. This stealthy tactic poses significant risks, allowing attackers to maintain persistence. Organizations must enhance their security measures to combat these evolving threats.

What Happened

Microsoft has uncovered a new tactic employed by threat actors, who are using HTTP cookies as a control channel for PHP-based web shells on Linux servers. This method enables them to achieve remote code execution without raising alarms. Instead of relying on visible URL parameters or request bodies, these web shells utilize cookies to gate execution and control malicious functionalities.

How It Works

The technique allows malicious code to remain dormant during regular application use. It activates only when specific cookie values are detected. This behavior extends to various web requests, scheduled tasks, and trusted background processes. By leveraging the $_COOKIE superglobal variable, attackers can execute commands without additional parsing, making their actions less detectable.

Who's Being Targeted

The primary targets of this tactic are Linux servers, particularly those that host web applications. Organizations with inadequate security measures are particularly vulnerable. The stealthy nature of this attack means that traditional security monitoring may not catch these threats, allowing them to persist undetected.

Signs of Infection

Indicators of compromise might include:

  • Unusual cookie values in web traffic
  • Unexpected scheduled tasks or cron jobs
  • Anomalous file creations in web directories These signs can help administrators identify potential infections before they escalate.

How to Protect Yourself

To mitigate the risk of these cookie-controlled web shells, Microsoft recommends several proactive measures:

  • Enforce multi-factor authentication for all hosting control panels and SSH access.
  • Monitor for unusual login activity to detect unauthorized access attempts.
  • Audit cron jobs and scheduled tasks regularly to identify suspicious entries.
  • Restrict execution of shell interpreters in web environments to limit potential attack vectors.
  • Limit the capabilities of hosting control panels to reduce the risk of exploitation.

Conclusion

The shift to cookie-controlled execution models represents a significant evolution in web shell tactics. By embedding malicious control logic in cookies, threat actors can maintain persistent access while minimizing observable indicators. Organizations must enhance their security postures to defend against these stealthy threats, ensuring that they remain vigilant against evolving attack strategies.

🔒 Pro insight: This tactic highlights a shift in attack strategies, where traditional detection methods may fail against cookie-based control mechanisms.

Original article from

THThe Hacker News
Read Full Article

Share

Related Pings

HIGHMalware & Ransomware

Axios NPM Supply Chain Incident - Malicious Packages Delivered

A supply chain attack on Axios's npm packages delivered malicious payloads. Developers must roll back to safe versions and investigate potential compromises. Stay vigilant against future threats.

Cisco Talos Intelligence·
HIGHMalware & Ransomware

Qilin Ransomware - Data Stolen from Die Linke Party

The Qilin ransomware group has targeted Die Linke, stealing sensitive data and threatening a leak. This incident highlights the risks political parties face from cyberattacks. Die Linke is working with authorities to address the breach and restore systems.

BleepingComputer·
HIGHMalware & Ransomware

Kimsuky - Malicious LNK Files Deliver Python-Based Backdoor

Kimsuky, a North Korean hacker group, is using malicious LNK files to deploy a Python backdoor on victim systems. This multi-stage attack complicates detection efforts, posing serious risks to sensitive data. Stay alert and avoid opening suspicious files to protect your systems.

Cyber Security News·
HIGHMalware & Ransomware

Multi-Extortion Ransomware - Understanding Its Evolution

Multi-extortion ransomware is on the rise, pressuring victims with data leaks. Healthcare and finance sectors are particularly affected. Organizations must adapt their defenses to protect sensitive data effectively.

BleepingComputer·
HIGHMalware & Ransomware

CrystalX RAT - New MaaS Malware Combines Spyware and Access

Kaspersky has uncovered CrystalX RAT, a new MaaS malware that combines spyware and remote access features. This sophisticated tool poses significant risks to users globally. Stay informed and protect your data.

Security Affairs·
HIGHMalware & Ransomware

Malicious Chrome Extension Steals ChatGPT Conversations

A new malicious Chrome extension is stealing ChatGPT conversations and sending them to a hidden Discord channel. This poses serious privacy risks for users. Stay informed and protect your data.

Cyber Security News·