Last-minute paper: The shell in the web

Thursday 5 October 11:30 - 12:00, Red room

Simon Roses Femerling (VULNEX)



Web shells are post exploitation scripts used by different actors on the Internet as a mechanism to maintain access to and persistence in an organization once compromised. In short, they are powerful remote management tools.

Despite the mythical US-CERT alert (TA15-314A) published in November 2015 on the increased use of the web shells by attackers and how to detect them, the problem not only continues but has increased. In July 2016, IBM X-Force published several blogs on the rising use by attackers of powerful web shells known as C99 and B374K, but the reality is that there are hundreds of different web shells with all kinds of offensive capabilities. MITRE ATT&CK keeps a list of known APTs that use web shells to maintain access.

This talk is a vision of the current state of web shells: what they are, the different types, how to detect them and how to mitigate their impact on an organization, based on the study of hundreds of web shells in different programming languages such as PHP, ASP, Perl and Python to determine their offensive capabilities and obfuscation methods, perform attacker profiling and establish reliable methods of detection.

Attackers have used web shells for decades, but even today many security experts are not familiar with these post exploitation tools, much less how to detect and analyse them.

Given the proliferation of the use of web shells by attackers, knowing these tools and how to mitigate them is of vital importance from a defensive point of view.

 

Simon-Femerling-web.jpg Simon Roses Femerling
 
Simon Roses holds a B.S. from Suffolk University (Boston), a postgraduate degree in e-commerce from Harvard University (Boston) and an Executive M.B.A. from IE Business School (IE, Madrid). Currently he is the CEO at VULNEX, driving security innovation. Formerly he worked at Microsoft, PricewaterhouseCoopers and @Stake. Simon has authored and cooperated in several open-source security projects such as OWASP Pantera and LibExploit. He has also published security advisories in commercial products. Simon was awarded with a DARPA Cyber Fast Track (CFT) grant to research on application security. Simon is a requent speaker at security industry events including Black Hat, DEF CON, RSA, HITB, OWASP, SOURCE. DeepSec and Microsoft Security Technets. Simon blogs at www.simonroses.com


Register.jpg

VB2017 OVERVIEW

WHY ATTEND

SPEAKERS

PROGRAMME

REGISTER NOW!

VENUE

BOOK HOTEL

VB2017 DRINKS RECEPTION

VB2017 FOOSBALL TOURNAMENT

2017 PÉTER SZŐR AWARD


Other VB2017 papers

Mariachis and jackpotting: ATM malware from Latin America

Thiago Marques (Kaspersky Lab)

Fabio Assolini (Kaspersky Lab)

Of all the forms of attack against financial institutions in the world, the ones that are most likely to combine traditional…

XAgent: APT28 cyber espionage on macOS

Tiberius Axinte (Bitdefender)

This paper provides an in-depth analysis of the macOS version of the APT28 component known as XAgent. We will dissect the…

The state of cybersecurity in Africa: Kenya

Tyrus Kamau (Euclid Consultancy)

The cyber threats Kenya faces range from basic hacking such as website defacements, financial fraud, social media account…