Microsoft’s security research team has discovered a new technique used by threat actors to control PHP-based web shells on Linux servers, leveraging HTTP cookies to execute remote code.
Unlike traditional methods where command execution is exposed through URL parameters or request bodies, these web shells rely on cookie values supplied by the threat actors to control their execution.
This approach allows attackers to persist on compromised systems using cron jobs, making it challenging for security teams to detect and mitigate these threats.
The use of cookie-controlled web shells highlights the evolving tactics of threat actors, who continually seek new ways to evade detection and maintain access to compromised systems.
As Linux servers remain a common target for web shell attacks, it is essential for organizations to stay vigilant and implement robust security measures to prevent and detect such threats.
By understanding these emerging techniques, security professionals can better equip themselves to defend against sophisticated attacks and protect their systems from potential breaches.
Source: Original Article
