Instructions on how to detect web shells
Over the past few days, a considerable number of data breaches have been discovered in Microsoft Exchange email servers, with a web shell having been installed on the server. Installing web shells in the victim’s environment has been a common form of attack, especially in conjunction with data breaches targeting Exchange servers, already since last year.
The National Cyber Security Centre of Finland (NCSC-FI) requests all organisations that have an Exchange email server to at least carry out the measures defined in these instructions to detect any web shells. Eliminating vulnerabilities by installing updates alone is not enough to remove any web shells installed by an attacker. The recent data breaches do not concern Microsoft’s email servers provided as cloud services, such as Exchange Online and Microsoft 365 Business.
These instructions aim to provide a few simple tips on how to detect web shells on servers. Attackers also have a number of other tools in their arsenal. However, these are not discussed in these instructions. Traces of attempted exploitations of the CVE-2021-26855, CVE-2021-26857, CVE-2021-27065 and CVE-2021-2685 vulnerabilities, fixed at the beginning of March, should be sought from the Exchange email server’s logs following Microsoft’s instructions (External link).
The simplest way to detect web shell files is to check the email server’s directories available in the public network for any files that should not be there.
A more comprehensive way to detect additional harmful files is to compare the email server’s current directory structure with the basic installation (golden image).
If any traces of web shells are detected, the situation must be handled as a data breach. As a result, it is vital to identify whether the attacker has been able to access the organisation’s other data systems more broadly. Tips on how to detect data breaches are available in the data breach detection guidelines published by NCSC-FI (in Finnish). As the investigation of a data breach requires extensive technical expertise and resources, assistance should be acquired from providers of information security services.
NCSC-FI is interested in all observations related to data breaches, and it provides victims with guidance in the investigation process. Contact the NCSC-FI Coordination Centre by emailing cert@traficom.fi.
Also remember to report any detected data breaches to the police and to submit any statutory report to the supervisory authority.