Full Report
This new report from Cisco Talos Incident Response explores how threat actors increasingly deployed web shells against vulnerable web applications, and exploited vulnerable or unpatched public-facing applications to gain initial access.
Analysis Summary
# Incident Report: Q4 2024 Web Shell and Ransomware Spike
## Executive Summary
In Q4 2024, Cisco Talos Incident Response observed a significant pivot in threat actor tactics, shifting away from valid account compromise towards exploiting vulnerable, public-facing applications to deploy web shells for initial access. This period also saw a corresponding surge in ransomware activities, particularly involving BlackBasta, where observed dwell times ranged from 17 to 44 days, often facilitated by the lack of proper Multi-Factor Authentication (MFA) implementation. Response efforts focused on containment, malware removal, and remediation across environments dealing with various known and new ransomware variants.
## Incident Details
- **Discovery Date:** Not explicitly stated, but analysis covers Q4 2024 activities (ending December 31, 2024).
- **Incident Date:** Activities occurred throughout Q4 2024.
- **Affected Organization:** Various organizations across multiple incidents analyzed by Talos IR.
- **Sector:** Not explicitly disclosed; general enterprise environments targeted.
- **Geography:** Not explicitly disclosed; global scope implied by IR engagements.
## Timeline of Events
### Initial Access
- **Date/Time:** Throughout Q4 2024.
- **Vector:** Exploitation of vulnerable or unpatched public-facing applications. This became the **most observed method**, replacing valid account compromise used frequently in prior quarters.
- **Details:** Installation of web shells (like those based on Neo-regeorg) via exploited vulnerabilities. In some cases, web fuzzer tools (Fuzz Faster U Fool) were used for initial discovery or brute-forcing.
### Lateral Movement
- **Date/Time:** Post-Initial Access, often preceding ransomware execution (Dwell times averaged 17 to 44 days).
- **Vector:** Compromised valid accounts were leveraged in 75% of ransomware engagements. Social engineering was used to gain employee accounts (BlackBasta example). Adversaries used internal network scanning and often modified Windows Firewall settings to ensure persistent remote access rights.
- **Details:** Tools like PsExec and Impacket were likely leveraged post-compromise for movement ("S0029 PsExec," "S0357 Impacket").
### Data Exfiltration/Impact
- **Date/Time:** Prior to ransomware deployment or as part of extortion.
- **Vector:** Data theft/exfiltration to attacker-controlled cloud storage was noted (T1567.002, T1537).
- **Impact:** Ransomware execution (BlackBasta, Interlock, RansomHub), Data Encrypted for Impact (T1486), and Inhibit System Recovery (T1490 - disabling volume shadow copies).
### Detection & Response
- **Detection:** Detection varied; dwell times suggest adversaries successfully evaded initial detection systems for extended periods (up to 44 days in one case).
- **Response Actions:** Containment involved addressing web shell deployment, securing systems from ransomware execution, and potentially rebuilding from backups after encryption events.
## Attack Methodology
- **Initial Access:** Exploitation of Web Applications (Web Shell deployment).
- **Persistence:** Modifying Windows Firewall settings to enable remote access; use of commercial remote access tools.
- **Privilege Escalation:** Not explicitly detailed for all incidents, but implied necessary for full network effect.
- **Defense Evasion:** Use of older, forgotten tools (e.g., JexBoss) and stealthy post-compromise activities (long dwell times).
- **Credential Access:** Credential harvesting tools (LaZagne, Mimikatz). Accessing backup passwords noted in RansomHub incidents.
- **Discovery:** Internal network scanning (commercial network scanning tools observed).
- **Lateral Movement:** Leveraging compromised valid accounts; use of PsExec/Impacket likely.
- **Collection:** Gathering data of interest for exfiltration.
- **Exfiltration:** Transfer Data to Cloud Account (T1537) to web servers.
- **Impact:** Data Encryption (Ransomware T1486) and Inhibit System Recovery (T1490).
## Impact Assessment
- **Financial:** Not quantified, but implied significant cost due to ransomware negotiations/recovery and consultant fees.
- **Data Breach:** Data theft was a noted component in ransomware engagements (RansomHub incidents involved data theft extortion). Full scope unknown.
- **Operational:** Significant operational disruption due to ransomware execution following dwell periods up to 44 days.
- **Reputational:** Potential reputational damage associated with high-profile ransomware campaigns (BlackBasta, RansomHub).
## Indicators of Compromise
*Note: IPs/URLs are defanged.*
- **Network indicators:** Traffic related to commercial Remote Access Tools (Splashtop, AnyDesk variants), use of Discord IP for reconnaissance (T1102), C2 communication via HTTP (T1071.001), Invoke-SocksProxy communications (T1090).
- **File indicators:** Web shell files (e.g., "401.php" based on Neo-regeorg structure, "jexws4.jsp"). Ransomware binaries (Interlock, BlackBasta). Veeam password stealer. KMS Auto tool.
- **Behavioral indicators:** Modification of Windows Firewall settings for persistent remote access. Brute-forcing attacks against web applications.
## Response Actions
- **Containment:** Disabling access channels used by web shells; isolating systems from further ransomware execution.
- **Eradication:** Removal of unauthorized web shells, remote access tools, and secondary persistence mechanisms (firewall rule changes).
- **Recovery:** Restoring encrypted files, re-securing compromised accounts, and enforcing MFA.
## Lessons Learned
- The heavy reliance of threat actors on exploiting unpatched, public-facing applications underlines the critical need for stringent vulnerability and patch management across all external assets.
- The near-universal lack of properly implemented MFA was a critical factor in enabling the impact of identity-based attacks during ransomware engagements.
- Long dwell times confirm that adversaries are taking time to thoroughly map networks and target backups before deployment, necessitating robust threat hunting spanning weeks, not just days.
## Recommendations
- Implement strict, enterprise-wide Multi-Factor Authentication (MFA) and regularly test configurations for bypass potential across all services.
- Establish a rapid patching cadence, prioritizing internet-facing applications and known critical vulnerabilities.
- Review and restrict the use of legacy or vulnerable application servers (like JBoss) or ensure they are completely segmented from the core network.
- Enhance network monitoring to detect the deployment and execution of post-compromise tools (PsExec, Cobalt Strike) and unusual modifications to local host configurations (e.g., Windows Firewall).