The shell is a crucial piece of your computer’s infrastructure. The shell – named command prompt on Windows and BASH on Linux – takes commands from the user and delivers them to the operating system. A shell user with administrative privileges is a force to be reckoned with, and attackers are aware of the power a shell user wields – here’s some reverse shell examples & prevention techniques.
What is a Reverse Shell?
The goal of any shell attack is to connect remotely to the victim’s shell. The most basic form of hijacking your device via another would be a remote shell. Here, the attacker connects to the victim’s device and requests a shell session. This is achieved by the attacker’s device making a connection with the victim’s. However, modern firewalls and even basic antivirus programs are now adequate at preventing this; blocking out an unfamiliar IP address is a fairly simple task: as soon as a malicious, shell-seeking connection is spotted, the connection is terminated. Nowadays, remote shell attacks are easily prevented. A cybercriminal making their way round the firewall now demands a sneakier approach.
This is where a reverse shell attack circumvents protection: reserve shell attacks trick the victim’s device into connecting to an attacker-controlled server. This architecture means that reverse shells allow for further escalation once a device has been breached. The victim’s connection with this command and control server is facilitated through the smorgasbord of zero-day vulnerabilities and misconfigurations within many organizations’ tech stacks.
Log4shell In Reverse: Double Trouble
Log4j is an open-source logging utility, nestled firmly within the APache open source framework for Java applications. A critical component to many applications – both open-source and private – Log4j became the epicenter of a major cybersecurity incident toward the end of 2021.
Log4j’s function is to allow applications to reference external information. Via the Java Naming and Directory Interface (JNDI), an application can remotely retrieve information across a vast variety of protocols and files. The sheer utility and unfettered licensing of Log4j allowed for rapid adoption of the tool, particularly within cloud services such as Steam and Apple iCloud.
After a decade of supporting organizations and developers, Log4j suddenly started to crumble after the discovery of a never-before-seen flaw. The vulnerability centered around that utility’s capacity to retrieve information that could alter variables within the app itself. This means, when an app uses the Log4j utility to read and process external information, an attacker can load the external file with malicious code that, when processed, changes the parameters of the app itself. This allows attackers to make internal changes – completely remote and unauthorized. This sets the device up to then make a connection with an attacker-controlled server. This way, an unpatched Log4Shell flaw opens the door to a complete reverse shell attack. The US’ Cybersecurity and Infrastructure Security Agency (CISA) documented several attacks that relied on a cybersecurity firm’s best friend: VMware. It was discovered that attackers had gained control of a device through a spiraling Log4J issue buried within the virtual machine solution; the attackers then proceeded to download a suite of malware that offered keylogging and further privilege escalation capabilities.
Log4Shell is massive – the vulnerability affected 93% of enterprise cloud environments upon its discovery. It continues to be dangerous, with 60% of applications still remaining unpatched as of April 2022. As catastrophic as Log4Shell continues to be, a reverse shell attack can be achieved with any vector that forces the device to connect to the malicious server.
A reverse shell attack is also possible via phishing emails and malicious websites. It’s much easier to socially engineer a person to infect their own system, compared to finding and exploiting complex application vulnerabilities.
Given the broad range of reverse shell attack vectors, a comprehensive protection suite is necessary to prevent your device from becoming controlled. Traditional firewalls have a low success rate with these attacks, thanks to the fact that firewalls are mostly angled toward filter incoming traffic – outgoing connections are outside their area of effect.
How to Protect Against a Reverse Shell
Blocking all outgoing reverse shell connections can be hard. The goal is to reverse-shell-proof your server, hardening your network through a suite of tightly-controlled policies. With these, an entire network can be protected.
First, it’s important to lock all outgoing connections. The shared necessity across phishing, malicious sites, and app vulnerabilities is the core requirement for a device to connect outwardly. The most obvious prevention of reverse shell attacks focuses around limiting outward connection. By monitoring and limiting connections to specific ports and, and only allowing connection to the IP addresses of trusted services, devices can be protected from reverse shell. This process will require your servers to be run in sandboxes, or minimal containers. Proxy servers can also be a valuable technique, as their restricted destinations provide the necessary tight controls.
Alongside this, by pruning your tech stack and creating the most lean application library possible, attackers have a far smaller surface through which to launch attacks. By restricting their ability to launch reverse shell code, your organization is made a far more difficult victim, encouraging attackers to move along to an easier target.
Most importantly, exploits surrounding code injection need to be treated as high-priority, and patched with the utmost dedication and care. Existing code injection vulnerabilities provide the easiest and most replicable way in for attackers, empowering cybercriminals to replicate and execute shell scripts. This, in turn, allows them to escalate to root code privileges, lending them total control over a device and network. Regularly patch your web applications and servers, scanning for vulnerable applications with a reliable vulnerability scanner.
Ultimately, there is only so much that can be done to harden a server. Blocking all network connections can be incredibly user-unfriendly, and places extra strain on the admin team as they need to approve all other requests. A Web Application Firewall (WAF) solution can detect and identify patterns of communication that seem like reverse shell attacks, allowing for real-time detection and prevention. Next-generation WAF solutions offer the best of both worlds for both users and security.
