Key Takeaway
Microsoft Defender researchers uncovered a method where PHP web shells on Linux servers use HTTP cookies as covert channels for remote code execution. This technique bypasses traditional detection methods, enabling stealthy attacks that complicate incident response.
The Microsoft Defender Security Research Team has identified a novel attack vector where threat actors leverage HTTP cookies as control channels for PHP-based web shells deployed on Linux servers. This technique deviates from conventional methods that utilize URL parameters or HTTP request bodies for command execution. Instead, attackers embed their commands within HTTP cookie values, which the web shell interprets to execute arbitrary code remotely.
This vulnerability represents a Remote Code Execution (RCE) risk arising from improper validation and handling of HTTP cookie data within PHP web shells. By using cookie values as a covert command and control (C2) channel, adversaries can evade detection mechanisms that typically monitor URL parameters and POST data for malicious payloads.
The attack vector requires the presence of a PHP web shell on a Linux server, often introduced through exploitation of other vulnerabilities, misconfigurations, or insecure deployment practices. Once in place, the web shell listens for specially crafted HTTP requests containing malicious cookies, enabling threat actors to execute commands, manipulate files, escalate privileges, or pivot within the targeted environment.
The real-world impact of this technique is significant. It complicates detection and response efforts by blending malicious commands into standard cookie headers, which are less scrutinized by security tools. Attackers leveraging this method can maintain persistent access and control while minimizing their operational footprint.
Security teams should prioritize identifying and eradicating PHP web shells from their Linux servers. Monitoring HTTP cookie headers for anomalous values linked to unauthorized web shells is recommended. Additionally, ensuring that web applications and server configurations do not allow unauthorized file uploads or execution of arbitrary PHP code is critical.
Applying vendor patches for underlying vulnerabilities exploited to deploy web shells is essential. Employing endpoint detection and response (EDR) tools with behavioral analytics can help detect unusual cookie usage patterns indicative of this attack. Network intrusion detection systems (NIDS) should be configured to flag HTTP requests with suspicious cookie data.
In summary, this emerging abuse of HTTP cookies as a command channel in PHP web shells underscores the necessity for comprehensive monitoring of all HTTP components and rigorous server hardening to prevent remote code execution threats on Linux platforms.
Related:
Original Source
The Hacker News
Related Articles
Mobile Attack Surface Widens Due to Shadow AI, Outdated Devices, and Zero-Click Exploits
The mobile attack surface is expanding as shadow AI embedded in applications, outdated devices, and zero-click exploits converge to create new security risks. Enterprises must update devices, monitor AI components, and strengthen detection to mitigate these threats.
CVE Pending: Critical Vulnerability in Anthropic's Claude Code Discovered Days After Source Code Leak
Adversa AI discovered a critical vulnerability in Anthropic's Claude Code agentic coding assistant within days of Anthropic accidentally leaking the product's source code. Claude Code operates with elevated system privileges in developer environments, making exploitation potentially severe — including credential theft, CI/CD pipeline manipulation, and lateral movement. Organizations should audit deployments, rotate credentials, and apply patches immediately once Anthropic releases a fix.
CVE-2024-6387: OpenSSH regreSSHion RCE Flaw Exposes Millions of Linux Servers to Unauthenticated Root Access
CVE-2024-6387 (regreSSHion) is a signal handler race condition in OpenSSH sshd versions 8.5p1 through 9.7p1 that allows unauthenticated remote code execution as root. Discovered by Qualys, the flaw affects an estimated 700,000 publicly exposed servers. Administrators should upgrade to OpenSSH 9.8p1 immediately or set LoginGraceTime 0 as a temporary workaround.
Apple Expands DarkSword Exploit Kit Mitigations Across Device Fleet After State-Sponsored and Spyware Vendor Abuse
Apple has expanded mitigations against the DarkSword exploit kit to additional devices after the toolkit was used in operations by state-sponsored threat groups and commercial spyware vendors. The expansion follows Apple's standard model of phased protection rollouts across its device ecosystem. All Apple device owners should apply the latest OS updates immediately, and high-risk individuals should enable Lockdown Mode.