The presence of web shells around a network are often one of the strongest signals of an ongoing or imminent cyber attack.

Pulling data from billions of emails, applications, endpoints and identities, Microsoft’s Detection and Response and 365 Defender teams are sounding the alarm that the number of observed attacks using web shell malware have nearly doubled since last year.

The data covers the period between August 2020 and January 2021, finding an average of 140,000 web shell attacks per month, up from around 77,000 per month over that same period the prior year.

Microsoft thinks a contributing factor to the rise is the relative ease in which hackers can quickly weaponize vulnerabilities to set up shells around victim networks.

In one instance last July, a critical configuration vulnerability found in widely used F5 Big-IP controllers that allowed for remote code execution was quickly seized on by malicious hackers. An exploit was added to Metasploit, a penetration testing kit that is also popular with cybercriminals, just four days after the flaw was disclosed. One day later, Microsoft began observing its use in the wild to upload web shells to vulnerable servers for a cryptomining scam, and the number of attacks exploded thereafter.

It also leaves an open doorway for cybercriminals to come back after they’ve been discovered or booted from an organization’s network.

“We frequently see cases where web shells are used solely as a persistence mechanism,” Microsoft’s security teams wrote. “Web shells guarantee that a backdoor exists in a compromised network, because an attacker leaves a malicious implant after establishing an initial foothold on a server. If left undetected, web shells provide a way for attackers to continue to gather data from and monetize the networks that they have access to.”

While they’re easy for attackers to set up, web shells can be difficult for defenders to detect, since they’re often targeted to specific servers and can hide in the noise of internet traffic, scanning, probing and unsuccessful attacks that most organizations see on a daily basis. They’re also dynamic and can be written in multiple programming languages in ways that can hide their malicious intent or convey ambiguous meanings to network defenders. Analyzing the context around a web shell “can be a challenge because the context is not clear until the shell is used.”

Microsoft’s data is the latest indication that web shells are becoming an increasingly popular form of malware relied on by cyber criminals and nation states. Last year the U.S. National Security Agency and Australian Signals Directorate released a detailed, technical joint advisory about the rising use of web shells by malicious actors, warning that they “pose a serious risk to [Department of Defense] components” and can be used to target public and non-public software and applications."

The agencies pointed to the "common misperception" that only internet-facing systems are targeted for web shells, with attackers frequently deploying web shells on such applications internal content management systems or network device management interfaces. “Internal web applications are often more susceptible to compromise due to lagging patch management or permissive security requirements,” the advisory noted.