T1505.003 Web Shell Mappings

CVE-2021-26858, part of Proxy Logon, is a post-authentication arbitrary file write vulnerability in Exchange. CVE-2021-26858 and CVE-2021-27065 are similar post-authentication arbitrary write file vulnerabilities in Exchange. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could write a file to any path on the server.

CVE-2021-26858, part of Proxy Logon, is a post-authentication arbitrary file write vulnerability in Exchange. CVE-2021-26858 and CVE-2021-27065 are similar post-authentication arbitrary write file vulnerabilities in Exchange. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could write a file to any path on the server.

CVE-2021-26857, part of Proxy Logon, is an insecure deserialization vulnerability in the Unified Messaging service. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could execute arbitrary code as SYSTEM on the Exchange Server. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.

CVE-2021-26855, also known as ProxyLogon, allows an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange Server. The vulnerability exploits the Exchange Control Panel (ECP) via a Server-Side Request Forgery (SSRF). This would also allow the attacker to gain access to mailboxes and read sensitive information.

CVE-2021-40539 is an authentication bypass vulnerability affecting representational state transfer (REST) application programming interface (API) URLs that could enable remote code execution. Successful exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.

CVE-2021-44228, known as Log4Shell, affects Apache’s Log4j library, an open-source logging framework. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. The request allows a cyber actor to take full control over the system. The actor can then steal information, launch ransomware, or conduct other malicious activity.

CVE-2020-0688 is a RCE vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory. A nation-state APT actor has been observed exploiting this vulnerability to conduct widespread, distributed, and anonymized brute force access attempts against hundreds of government and private sector targets worldwide.

CVE-2019-0604 is a vulnerability in an XML deserialization component within Microsoft SharePoint allowed remote attackers to typically install webshell malware to vulnerable hosts.

CVE 2019-18935 is a Insecure Deserialization vulnerability with the Telerik UI, which does not properly sanitize serialized data inputs from the user. This vulnerability leads to the application being vulnerable to RCE attacks that may lead to a full system compromise.

This is an authentication bypass vulnerability that can enable remote code execution. Numerous post-exploitation impacts by threat actors are detailed in the referenced CISA report.

This vulnerability is exploited via server-side template injection to achieve remote code execution. This access is then used to establish backdoors. Adversaries have been observed chaining this with CVE-2022-22960 in order to escalate privileges to root.

This vulnerability gives an adversary access through exploitation of a public-facing server.

CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.

CVE-2021-27860 is a vulnerability in the web management interface in FatPipe software. The vulnerability allowed APT actors to gain access to an unrestricted file upload function to drop a webshell for exploitation activity with root access, leading to elevated privileges and potential follow-on activity. Exploitation of this vulnerability then served as a jumping off point into other infrastructure for the APT actors.

This vulnerability is exploited through an authentication bypass weakness in the web component of Ivanti Connect Secure and Ivanti Policy Secure. Remote attackers leverage this vulnerability to gain unauthorized access by bypassing control checks.

This vulnerability is exploited through a Server-Side Request Forgery (SSRF) weakness in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA. Attackers leverage this vulnerability to gain unauthorized access by sending a crafted request to the /dana-ws/saml.ws endpoint, which can be accessed without authentication. This manipulation allows attackers to interact with internal services, potentially enabling further exploitation by chaining with other vulnerabilities.

CVE-2023-32315 is a path traversal bug in Openfire's administrative console that could be leveraged for remote code execution. Public reports have indicated that threat actors were exploiting this vulnerability to gain access to the Openfire plugins interface to create new admin console user accounts, install a malicious plugin, and gain access to a webshell.

This Remote Code Execution (RCE) vulnerability is exploited by an unauthenticated attacker via a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation. This vulnerability has been exploited by threat actors to gain initial access to AWS accounts by injecting custom PHP code through the SugarCRM email templates module. Attackers leveraged misconfigurations to expand their access, obtaining long-term AWS access keys from compromised EC2 instances. They used tools like Pacu and Scout Suite to explore AWS services such as EC2, IAM, RDS, and S3, and gathered account information via AWS Organizations and Cost and Usage services. The attackers moved laterally by creating RDS snapshots and new EC2 instances, modifying security groups, and attempting to escalate privileges by logging in as the Root user. They also employed defense evasion techniques, including deploying resources in non-standard regions and intermittently stopping EC2 instances to avoid detection and minimize costs. The exploit in question is actively being used to compromise hosts by installing a PHP-based web shell. It involves an authentication bypass against the "/index.php" endpoint of the targeted service. Once bypassed, the attacker obtains a cookie and sends a secondary POST request to "/cache/images/sweet.phar" to upload a small PNG-encoded file containing PHP code. This file acts as a web shell, allowing the execution of commands specified in the base64-encoded query argument "c". For example, a request like 'POST /cache/images/sweet.phar?c="L2Jpbi9pZA=="' would execute the command "/bin/id" with the same permissions as the web service's user.

This vulnerability is exploited by a remote adversary who has either authenticated to a Microsoft Exchange Server or has gained access to PowerShell prior to leveraging this vulnerability. The adversary then performs remote code execution via PowerShell to install a Chopper web shell to perform Active Directory reconnaissance and data exfiltration.

In certain versions of Spring Cloud Function, a vulnerability allows remote code execution through a specially crafted Spring Expression Language (SpEL) routing expression. This vulnerability, known as "Spring4Shell," can be exploited by sending crafted queries to a server running the Spring Core framework. Hackers are actively exploiting this flaw to execute malicious Java code on vulnerable servers. Initial exploit attempts were observed targeting a honeypot on port 9001. The exploit modifies logging configurations to create a webshell by writing code to a log file, which is then executed via a browser. Although there is scanning activity for vulnerable hosts, the exploitation is less widespread compared to Log4Shell, as it requires specific conditions beyond just using the framework.