When a developer hears the word “shell,” it doesn’t automatically evoke calming oceans waves and warm, luscious sand. More often, developers hear the word shell and their minds automatically transition to shell scripting. While shell script syntax may feel clunky by today’s modern coding standards, shell enables productivity and collaboration.
On the other hand, many attackers have at least basic coding skills, meaning that they know shell, too. With these technical skills, they continue to deploy malicious packages that enable them to deploy a reverse shell on machines.
Developers who know the difference between reverse shell and bind shell can understand better why threat actors prefer reverse shell when deploying software supply chain attacks.
What is a shell?
A shell is a software that interprets commands for an operating system so users can execute commands, run scripts, and automate tasks, like:
- Controlling processes
- Executing programs
- Managing files
Some of the most common shells are:
- Windows PowerShell
- Windows Command Prompt
- bash
- sh
- dash
- Born
- Korn
The shell and its scripting language often help streamline complex tasks like:
- Setting up a network
- Managing software installation
- Backing up files
- Remotely managing servers
- Monitoring system performance
- Updating software
- Managing configurations
Types of Shell Attacks
Although shell has many legitimate uses, attackers often use it to take control of a victim machine. In a shell connection, the exploited system has a utility networking utility, like netcat, that reads and writes data across network connections running in listener mode, meaning that the function only responds when an event occurs. Whenever a user makes a web request or a network connection is established, the listeners provide information about it.
Bind Shell
A bind shell only listens to a specific port, waiting for an incoming connection request. Once a user establishes a connection, the bind shell provides a shell interface, giving the user a way to remotely execute commands on the machine. System admins often use bind shells for server, networked devices, or system remote management.
With a bind shell, anyone – including attackers – can connect to the port to take control over the target machine. For example, if attackers deliver a malicious payload to a target machine, they can launch a command shell that listens to the local port and takes control of it.
Reverse Shell
A reverse shell establishes a connection between a remote machine and a target machine, allowing the remote machine to send a connection request to the target machine. The target machine listens for this request, then establishes the connection. System admins may use reverse shell for legitimate reasons, like remote server administration.
With a reverse shell, attackers can often bypass security controls, like firewalls. While firewalls may prevent bind shell attacks because they filter incoming traffic, they often provide fewer limits for outgoing connections, meaning they won’t capture the malicious activity. For example, attackers inserted malicious payloads into application inputs that a log4j2 logger would parse to gain remote code execution privileges on the host running the application.
Reverse Shells in Software Supply Chain Attacks
Since most security tools scan incoming signals and connections for threats, reverse shell attacks enable threat actors to evade detection. Reverse shell attacks flip the script on security tools by hiding in outgoing signals and connections. Increasingly, attackers target npm packages and the Python Package Index (PyPI) to deploy software supply chain attacks.
As malicious actors seek to shift their attacks left, they poison the software supply chain by hiding in seemingly harmless-sounding packages. In early November of 2023, security researchers identified 48 malicious npm packages with capabilities to deploy a reverse shell on compromised systems. Attackers insert an install hook in the package.json that calls a javaScript code to establish a reverse shell to rsh.51pwn[.]com. Developers who install the package on their machines can trigger the attack chain.
To mitigate risks, developers should:
- Validate open-source repositories by verifying upstream repositories, reading file names carefully, choosing well-maintained repositories, and reviewing lists of known malicious packages
- Use an intelligent software composition analysis (SCA) solution to identify and track components and their security status
- Understand all dependencies across functional elements and data flow paths to identify and remediate threats
- Recover affected machines by resetting or wiping potentially impacted devices, changing passwords, and rotating sensitive credentials/tokens
Qwiet AI: Mitigating Software Supply Chain Risks
With Qwiet AI’s Intelligent Software Composition Analysis (SCA) platform, you can quickly scan your source code, detecting all dependencies, to build security into your CI/CD processes. Our Intelligent SBOMs provide visibility into the components that make up your apps, enabling you to proactively and reactively secure your software. You can integrate our preZero platform directly into your existing pipelines, ticketing systems, and development tools, enabling you to find and fix high-priority vulnerabilities while still meeting your software delivery timelines.
Take our preZero platform for a free spin or contact us today to see how Qwiet AI can help you secure your applications against threats.