Threat actors have been found to be leveraging HTTP cookies as a control channel for PHP-based web shells on Linux servers, enabling remote code execution, as discovered by the Microsoft Defender Security Research Team.
This tactic involves using HTTP cookies to control the execution of web shells, rather than relying on URL parameters or request bodies, making it more challenging to detect and mitigate these threats.
By utilizing cookie values supplied by the threat actors, these web shells can gate execution, allowing attackers to maintain persistence on compromised systems without exposing their malicious activities through conventional means.
The use of cookies as a control channel for web shells is a significant concern, as it can bypass traditional security measures and make it more difficult for organizations to detect and respond to these threats.
To protect against these types of attacks, organizations should ensure that their Linux servers are properly secured, and that they are monitoring for suspicious cookie activity that could indicate the presence of a web shell.
Source: Original Article
