https://feed.craftedsignal.io/tags/webshell/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 19 Mar 2026 05:26:28 +0000https://feed.craftedsignal.io/briefs/2024-05-warlock-webshell-ransomware/Thu, 19 Mar 2026 05:26:28 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-05-warlock-webshell-ransomware/The Warlock group utilizes web shells and tunneling to deploy ransomware within compromised environments, impacting victim data confidentiality and availability.This brief describes a Warlock attack, as detailed in a Trend Micro analysis, involving the use of web shells, tunneling, and ransomware deployment. The Warlock group compromises systems by leveraging web shells for initial access and establishing tunnels for persistent access and command and control. This access is then used to deploy ransomware, encrypting critical data and demanding ransom payments from victims. The specific ransomware family and web shell variants employed are not detailed in the provided context, but the overall attack flow is consistent with financially motivated cybercrime operations. Defenders should prioritize detection of web shell activity, unauthorized tunneling, and ransomware execution to mitigate the risk of compromise by the Warlock group.

Attack Chain

1. Initial Access: The attacker gains access to the target system by exploiting vulnerabilities to deploy a web shell (details of the vulnerability are not provided).
2. Web Shell Execution: The attacker executes commands through the web shell to perform reconnaissance and identify valuable targets within the network.
3. Tunnel Establishment: A tunnel is established to maintain persistent access and bypass security controls (specific tunneling technology not provided).
4. Lateral Movement: The attacker leverages the established tunnel to move laterally within the network, compromising additional systems.
5. Credential Access: The attacker attempts to harvest credentials to gain elevated privileges and access to critical resources (specific tools/techniques not provided).
6. Ransomware Deployment: The attacker deploys ransomware across the network, encrypting files and rendering systems unusable.
7. Ransom Demand: A ransom note is left on the compromised systems, demanding payment for decryption keys.
8. Data Exfiltration (Possible): Prior to encryption, the attacker may exfiltrate sensitive data to further pressure victims into paying the ransom (not explicitly stated, but a common practice).

Impact

The Warlock attack results in significant disruption to victim organizations through ransomware deployment. Systems are rendered unusable due to encryption, potentially leading to operational downtime and financial losses. If data exfiltration occurs, the confidentiality of sensitive information is also compromised, increasing the potential for reputational damage and legal liabilities. The lack of specific victim counts and sector targeting data in the provided context limits a comprehensive impact assessment.

Recommendation

• Deploy a web shell detection rule (see below) to identify suspicious web shell activity on web servers based on process creation.
• Implement a network monitoring rule (see below) to detect unusual tunneling activity based on network connections from web servers.
• Enable file integrity monitoring to detect unauthorized modifications to web server files that could indicate web shell installation (reference file_event log source).

]]>criticalthreatwebshellransomwaretunnelinghttps://feed.craftedsignal.io/briefs/2024-01-apache-struts-cve-2023-50164-webshell/Fri, 05 Jan 2024 18:22:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-apache-struts-cve-2023-50164-webshell/Exploitation of CVE-2023-50164, a critical path traversal vulnerability in Apache Struts 2, is detected by identifying malicious multipart/form-data POST requests with WebKitFormBoundary targeting Struts .action upload endpoints, followed by JSP web shell creation in Tomcat's webapps directories, indicating remote code execution.CVE-2023-50164 is a critical path traversal vulnerability affecting Apache Struts 2 versions prior to 2.5.33 or 6.3.0.2. The vulnerability resides in the file upload functionality, allowing attackers to manipulate file upload parameters and write malicious files, such as JSP web shells, to arbitrary locations on the web server. Successful exploitation leads to remote code execution. Detection focuses on correlating suspicious file upload requests to Struts endpoints with subsequent creation of JSP files in web-accessible directories, indicating successful exploitation. The attack involves crafting malicious multipart/form-data POST requests with WebKitFormBoundary to Struts .action upload endpoints.

Attack Chain

1. The attacker sends a malicious HTTP POST request to a vulnerable Apache Struts endpoint (e.g., *.action).
2. The HTTP POST request contains a multipart/form-data content type with a WebKitFormBoundary string.
3. The request exploits CVE-2023-50164, leveraging a path traversal vulnerability in the file upload process.
4. The attacker bypasses security controls due to the path traversal vulnerability.
5. The attacker uploads a malicious JSP file (web shell) to a web-accessible directory, such as Tomcat’s webapps directory.
6. A Java process (e.g., Tomcat) creates the JSP web shell file in the webapps directory.
7. The attacker accesses the deployed web shell via HTTP.
8. The attacker executes arbitrary commands on the server through the web shell.

Impact

Successful exploitation of CVE-2023-50164 allows attackers to achieve remote code execution on the affected server. This can lead to complete system compromise, data exfiltration, deployment of malware, and lateral movement within the network. The vulnerability affects Apache Struts 2 applications using the file upload feature, potentially impacting numerous organizations across various sectors using the framework.

Recommendation

• Deploy the Sigma rule “Apache Struts CVE-2023-50164 Webshell Creation” to detect JSP file creation events in webapps directories following suspicious POST requests as described in the overview.
• Deploy the Sigma rule “Apache Struts CVE-2023-50164 Suspicious POST Request” to detect suspicious POST requests to Struts endpoints with multipart/form-data content containing WebKitFormBoundary, as indicated in the Attack Chain.
• Patch Apache Struts 2 to version 2.5.33, 6.3.0.2, or higher to remediate the CVE-2023-50164 vulnerability, as noted in the References.
• Enable HTTP request body capture in network traffic monitoring tools to detect the multipart/form-data content containing WebKitFormBoundary indicators, as required by the rule setup.

]]>highadvisoryapache-strutswebshellcve-2023-50164initial-accesspersistencecommand-and-controlhttps://feed.craftedsignal.io/briefs/2024-01-weaver-eoffice-upload/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-weaver-eoffice-upload/Weaver E-office versions prior to 10.0_20221201 are vulnerable to unauthenticated arbitrary file upload in the OfficeServer.php endpoint, allowing attackers to upload PHP webshells and achieve remote code execution.Weaver E-office, a web-based office automation system, is vulnerable to an unauthenticated arbitrary file upload vulnerability (CVE-2022-50993) affecting versions prior to 10.0_20221201. The vulnerability exists within the OfficeServer.php endpoint, allowing remote attackers to upload arbitrary files without authentication. This is achieved by sending multipart POST requests with manipulated filenames and content types. The Shadowserver Foundation observed initial exploitation evidence on October 10, 2022. Successful exploitation enables attackers to upload malicious PHP webshells to the Document directory and execute them via HTTP GET requests, leading to remote code execution on the affected server as the web server user. This can compromise the confidentiality, integrity, and availability of the E-office system and the underlying server.

Attack Chain

1. An unauthenticated attacker sends a crafted HTTP POST request to the OfficeServer.php endpoint.
2. The POST request includes a multipart form with a file upload field.
3. The attacker sets an arbitrary filename for the uploaded file, typically with a .php extension.
4. The attacker disguises the content type of the uploaded file to bypass basic server-side checks.
5. The server saves the uploaded file (a PHP webshell) to the Document directory.
6. The attacker sends an HTTP GET request to the uploaded PHP webshell file.
7. The web server executes the PHP code within the uploaded file.
8. The attacker achieves remote code execution as the web server user, enabling further malicious activities.

Impact

Successful exploitation of CVE-2022-50993 allows an unauthenticated attacker to execute arbitrary code on the affected Weaver E-office server. This can lead to complete system compromise, data theft, modification of sensitive data, and disruption of services. The vulnerability has a CVSS v3.1 base score of 9.8, indicating its critical severity. While the number of victims and specific sectors targeted are not detailed, organizations using vulnerable versions of Weaver E-office are at high risk.

Recommendation

• Upgrade Weaver E-office to version 10.0_20221201 or later to patch CVE-2022-50993.
• Deploy the Sigma rule “Detect Weaver E-office Webshell Upload” to detect malicious PHP file uploads to the OfficeServer.php endpoint.
• Monitor web server access logs for requests to the Document directory with .php extensions, indicative of webshell execution.
• Implement web application firewall (WAF) rules to block suspicious POST requests to OfficeServer.php with arbitrary file upload attempts.

]]>criticaladvisorycve-2022-50993file-uploadwebshellrcee-office