Chief Scientist Emeritus Fabian Yamaguchi and foundational Code Property Graph technology recognized with IEEE Test of Time Award

When a developer hears the word “shell,” it doesn’t automatically evoke calming oceans waves and warm, luscious sand. More often, developers hear the word shell and their minds automatically transition to shell scripting. While shell script syntax may feel clunky by today’s modern coding standards, shell enables productivity and collaboration. 

On the other hand, many attackers have at least basic coding skills, meaning that they know shell, too. With these technical skills, they continue to deploy malicious packages that enable them to deploy a reverse shell on machines. 

Developers who know the difference between reverse shell and bind shell can understand better why threat actors prefer reverse shell when deploying software supply chain attacks.  

What is a shell?

A shell is a software that interprets commands for an operating system so users can execute commands, run scripts, and automate tasks, like:

  • Controlling processes
  • Executing programs
  • Managing files

Some of the most common shells are:

  • Windows PowerShell
  • Windows Command Prompt
  • bash
  • sh
  • dash
  • Born
  • Korn

The shell and its scripting language often help streamline complex tasks like:

  • Setting up a network 
  • Managing software installation
  • Backing up files 
  • Remotely managing servers
  • Monitoring system performance
  • Updating software
  • Managing configurations

Types of Shell Attacks

Although shell has many legitimate uses, attackers often use it to take control of a victim machine. In a shell connection, the exploited system has a utility networking utility, like netcat, that reads and writes data across network connections running in listener mode, meaning that the function only responds when an event occurs. Whenever a user makes a web request or a network connection is established, the listeners provide information about it. 

Bind Shell

A bind shell only listens to a specific port, waiting for an incoming connection request. Once a user establishes a connection, the bind shell provides a shell interface, giving the user a way to remotely execute commands on the machine. System admins often use bind shells for server, networked devices, or system remote management.

With a bind shell, anyone – including attackers – can connect to the port to take control over the target machine.  For example, if attackers deliver a malicious payload to a target machine, they can launch a command shell that listens to the local port and takes control of it. 

Reverse Shell

A reverse shell establishes a connection between a remote machine and a target machine, allowing the remote machine to send a connection request to the target machine. The target machine listens for this request, then establishes the connection. System admins may use reverse shell for legitimate reasons, like remote server administration.

With a reverse shell, attackers can often bypass security controls, like firewalls. While firewalls may prevent bind shell attacks because they filter incoming traffic, they often provide fewer limits for outgoing connections, meaning they won’t capture the malicious activity. For example, attackers inserted malicious payloads into application inputs that a log4j2 logger would parse to gain remote code execution privileges on the host running the application. 

Reverse Shells in Software Supply Chain Attacks

Since most security tools scan incoming signals and connections for threats, reverse shell attacks enable threat actors to evade detection. Reverse shell attacks flip the script on security tools by hiding in outgoing signals and connections. Increasingly, attackers target npm packages and the Python Package Index (PyPI) to deploy software supply chain attacks. 

As malicious actors seek to shift their attacks left, they poison the software supply chain by hiding in seemingly harmless-sounding packages. In early November of 2023, security researchers identified 48 malicious npm packages with capabilities to deploy a reverse shell on compromised systems. Attackers insert an install hook in the package.json that calls a javaScript code to establish a reverse shell to rsh.51pwn[.]com. Developers who install the package on their machines can trigger the attack chain. 

To mitigate risks, developers should:

  • Validate open-source repositories by verifying upstream repositories, reading file names carefully, choosing well-maintained repositories, and reviewing lists of known malicious packages
  • Use an intelligent software composition analysis (SCA) solution to identify and track components and their security status
  • Understand all dependencies across functional elements and data flow paths to identify and remediate threats
  • Recover affected machines by resetting or wiping potentially impacted devices, changing passwords, and rotating sensitive credentials/tokens

Qwiet AI: Mitigating Software Supply Chain Risks

With Qwiet AI’s Intelligent Software Composition Analysis (SCA) platform, you can quickly scan your source code, detecting all dependencies, to build security into your CI/CD processes. Our Intelligent SBOMs provide visibility into the components that make up your apps, enabling you to proactively and reactively secure your software. You can integrate our preZero platform directly into your existing pipelines, ticketing systems, and development tools, enabling you to find and fix high-priority vulnerabilities while still meeting your software delivery timelines. 

Take our preZero platform for a free spin or contact us today to see how Qwiet AI can help you secure your applications against threats. 

 

 

About Qwiet AI

Qwiet AI empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left.

A unified code security platform, Qwiet AI scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, Qwiet AI then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use Qwiet AI ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, Qwiet AI is based in Santa Clara, California. For information, visit: https://qwiet.ai

Share