Threat actors have been discovered using HTTP cookies as a stealthy control channel for PHP-based web shells on Linux servers, allowing them to execute remote code, according to research from the Microsoft Defender Security Research Team.
This new technique deviates from traditional methods where command execution is exposed through URL parameters or request bodies, instead relying on cookie values supplied by the threat actors to gate execution.
The use of HTTP cookies as a control channel for web shells is a concerning trend, as it can make detection more challenging for security teams, and highlights the importance of monitoring and analyzing cookie data in addition to other request parameters.
By leveraging cron jobs on Linux servers, these web shells can persist even after a reboot, allowing threat actors to maintain a persistent presence on compromised systems and carry out malicious activities over time.
It is essential for organizations to be aware of this emerging threat and take proactive measures to protect their Linux servers, including implementing robust security controls, monitoring for suspicious activity, and keeping software up-to-date to prevent exploitation of known vulnerabilities like CVE-2022-22965 and others.
As the threat landscape continues to evolve, staying informed about the latest techniques and tactics used by threat actors is crucial for effective defense, and the Microsoft Defender Security Research Team’s findings serve as a reminder of the importance of ongoing vigilance and security research.
Source: Original Article
