Microsoft’s latest research has shed light on a concerning trend in the realm of cybersecurity: the use of HTTP cookies as a control channel for PHP-based web shells on Linux servers. This approach enables threat actors to achieve remote code execution, making it a significant threat to server security.
According to the Microsoft Defender Security Research Team, these web shells rely on cookie values supplied by threat actors to gate execution, rather than exposing command execution through URL parameters or request bodies. This tactic allows attackers to maintain a low profile and evade detection.
The fact that threat actors are leveraging HTTP cookies to control web shells is a notable departure from traditional methods. By using cookies, attackers can persist on compromised systems even after a reboot, making it challenging for security teams to detect and remediate the issue.
Microsoft’s findings highlight the importance of monitoring HTTP cookie traffic and implementing robust security measures to prevent such attacks. As the use of PHP web shells continues to evolve, it is essential for organizations to stay vigilant and adapt their security strategies to mitigate these emerging threats.
Linux server administrators and security professionals should be aware of this new technique and take proactive steps to protect their systems. This includes regularly reviewing cookie traffic, implementing robust access controls, and keeping software up-to-date to prevent exploitation of known vulnerabilities like CVE-2022-0995 and others.
Source: Original Article
