Introduction

The National Cyber Coordination and Command Centre (NC4) would like to alert all agencies about cyber campaigns related to SEO Poisoning and web shells. SEO Poisoning is a technique used by Threat Actors to manipulate search engine results, promoting malicious websites to unsuspecting users. This can lead to malware distribution, credential theft, financial scams, misinformation, and reputation damage. Additionally, web shells are malicious scripts that provide attackers with persistent access to compromised web servers. Understanding and mitigating these threats is crucial for maintaining the security and integrity of web servers and online services.

Impact

SEO Poisoning and web shells can have severe consequences, including data loss, compromised security, malware spreading, data theft, poor search rankings, harmful backlinks, reputation damage, and legal consequences.

Brief Description

• SEO Poisoning: Threat Actors use SEO techniques to lure users into visiting malicious websites. The goals include distributing malware, stealing credentials, attracting consumers to financial scams, spreading misinformation, damaging reputations, and diverting traffic from legitimate sites.

• Web Shells: Malicious scripts that give attackers persistent access to compromised web servers. They exploit vulnerabilities like SQL injection and cross-site scripting to gain entry, allowing attackers to manipulate the server, steal data, deface websites, and launch further attacks.

System Affected

Web servers running on Windows, Linux, and XAMPP, as well as Content Management Systems (CMS) such as Laravel, WordPress, Joomla, and Cold Fusion. These systems are vulnerable to SEO poisoning and web shell attacks, which can lead to significant security breaches and data compromises.

Recommendation

NC4 has created a playbook that the impacted agencies can refer to. Please login and download the playbook from the NACSA official GitLab at https://git.osdec.gov.my/NACSAmalaysia/incident-response-playbooks/ under the title “INCIDENT RESPONSE PLAYBOOK – SEARCH ENGINE OPTIMIZATION (SEO) POISONING & WEB SHELL ATTACKS”

References

   https://www.imperva.com/learn/application-security/web-shell/

   https://www.scaler.com/topics/cyber-security/web-shell/

   https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/seo-poisoning

   https://git.osdec.gov.my/NACSAmalaysia/incident-response-playbooks/-/blob/main/INCIDENT_RESPONSE_PLAYBOOK_-_SEO___WEB_SHELL_ATTACKS.pdf