Introducing Qwiet AI AutoFix! Reduce the time to secure code by 95% Read More

When a developer hears the word “shell,” it doesn’t automatically evoke calming oceans waves and warm, luscious sand. More often, developers hear the word shell and their minds automatically transition to shell scripting. While shell script syntax may feel clunky by today’s modern coding standards, shell enables productivity and collaboration. 

On the other hand, many attackers have at least basic coding skills, meaning that they know shell, too. With these technical skills, they continue to deploy malicious packages that enable them to deploy a reverse shell on machines. 

Developers who know the difference between reverse shell and bind shell can understand better why threat actors prefer reverse shell when deploying software supply chain attacks.  

What is a shell?

A shell is a software that interprets commands for an operating system so users can execute commands, run scripts, and automate tasks, like:

  • Controlling processes
  • Executing programs
  • Managing files

Some of the most common shells are:

  • Windows PowerShell
  • Windows Command Prompt
  • bash
  • sh
  • dash
  • Born
  • Korn

The shell and its scripting language often help streamline complex tasks like:

  • Setting up a network 
  • Managing software installation
  • Backing up files 
  • Remotely managing servers
  • Monitoring system performance
  • Updating software
  • Managing configurations

Types of Shell Attacks

Although shell has many legitimate uses, attackers often use it to take control of a victim machine. In a shell connection, the exploited system has a utility networking utility, like netcat, that reads and writes data across network connections running in listener mode, meaning that the function only responds when an event occurs. Whenever a user makes a web request or a network connection is established, the listeners provide information about it. 

Bind Shell

A bind shell only listens to a specific port, waiting for an incoming connection request. Once a user establishes a connection, the bind shell provides a shell interface, giving the user a way to remotely execute commands on the machine. System admins often use bind shells for server, networked devices, or system remote management.

With a bind shell, anyone – including attackers – can connect to the port to take control over the target machine.  For example, if attackers deliver a malicious payload to a target machine, they can launch a command shell that listens to the local port and takes control of it. 

Reverse Shell

A reverse shell establishes a connection between a remote machine and a target machine, allowing the remote machine to send a connection request to the target machine. The target machine listens for this request, then establishes the connection. System admins may use reverse shell for legitimate reasons, like remote server administration.

With a reverse shell, attackers can often bypass security controls, like firewalls. While firewalls may prevent bind shell attacks because they filter incoming traffic, they often provide fewer limits for outgoing connections, meaning they won’t capture the malicious activity. For example, attackers inserted malicious payloads into application inputs that a log4j2 logger would parse to gain remote code execution privileges on the host running the application. 

Reverse Shells in Software Supply Chain Attacks

Since most security tools scan incoming signals and connections for threats, reverse shell attacks enable threat actors to evade detection. Reverse shell attacks flip the script on security tools by hiding in outgoing signals and connections. Increasingly, attackers target npm packages and the Python Package Index (PyPI) to deploy software supply chain attacks. 

As malicious actors seek to shift their attacks left, they poison the software supply chain by hiding in seemingly harmless-sounding packages. In early November of 2023, security researchers identified 48 malicious npm packages with capabilities to deploy a reverse shell on compromised systems. Attackers insert an install hook in the package.json that calls a javaScript code to establish a reverse shell to rsh.51pwn[.]com. Developers who install the package on their machines can trigger the attack chain. 

To mitigate risks, developers should:

  • Validate open-source repositories by verifying upstream repositories, reading file names carefully, choosing well-maintained repositories, and reviewing lists of known malicious packages
  • Use an intelligent software composition analysis (SCA) solution to identify and track components and their security status
  • Understand all dependencies across functional elements and data flow paths to identify and remediate threats
  • Recover affected machines by resetting or wiping potentially impacted devices, changing passwords, and rotating sensitive credentials/tokens

Qwiet AI: Mitigating Software Supply Chain Risks

With Qwiet AI’s Intelligent Software Composition Analysis (SCA) platform, you can quickly scan your source code, detecting all dependencies, to build security into your CI/CD processes. Our Intelligent SBOMs provide visibility into the components that make up your apps, enabling you to proactively and reactively secure your software. You can integrate our preZero platform directly into your existing pipelines, ticketing systems, and development tools, enabling you to find and fix high-priority vulnerabilities while still meeting your software delivery timelines. 

Take our preZero platform for a free spin or contact us today to see how Qwiet AI can help you secure your applications against threats. 

 

 

About ShiftLeft

ShiftLeft empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left.

A unified code security platform, ShiftLeft CORE scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, ShiftLeft then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use ShiftLeft ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, ShiftLeft is based in Santa Clara, California. For information, visit: www.shiftleft.io.

Share

Read Next

AI Announcements Cybersecurity
April 29, 2024 4 min to read

The Qwiet AI Code Doctor Will See You Now – Introdu...

by Stuart McClure

Qwiet AI and the ancient Greek physicians like the father of medicine Hippocrates have much in common. Hippocrates highlighted the significance of a healthy diet and lifestyle in preventing diseases and acknowledged the root cause of physical and psychological ailments as diet and lifestyle choices (Διαιτήμασί in Greek), and now Qwiet AI is delivering his […]

READ MORE
AI Cybersecurity
April 29, 2024 10 min to read

Revolutionizing Vulnerability Detection and Patching

by Chetan Conikee

In the ever-evolving landscape of software development, ensuring the security of applications has become a paramount concern. As cyber threats continue to grow in sophistication, it is crucial for developers and security professionals to stay ahead of the curve. This article explores a groundbreaking approach that combines the power of Code Property Graphs (CPGs) and […]

READ MORE
Cybersecurity
April 22, 2024 6 min to read

What are the limitations of using ChatGPT to write code?

Love them or hate them, large language models (LLM) are here to stay. After opening the Pandora’s Box of ChatGPT in late 2022, everyone from developers to grandmas began using the tool to get the answers they wanted – and fast. As with every other new technology, ChatGPT created a new set of security risks, […]

READ MORE

Read Next

Cybersecurity
December 1, 2021 5 min to read

Keeping the wrench out of the gears: 5 tips for achieving...

More often than not, when people hear the word “compliance” they assume it will be a roadblock to speed. For DevOps teams, reduced speed and productivity undermine their goals. At the same time, experiencing more data breaches leads to new compliance mandates as legislative bodies and industry standards organizations try to set minimum security baselines. […]

READ MORE
Cybersecurity
January 25, 2022 8 min to read

Best Practice for Application Security in the Cloud

The future of application security is in the cloud. Software development and application deployment continue to move from on-premise to various types of cloud environments. While the basics of application security (AppSec) carry over from on-premise, the cloud introduces new areas of complexity and a new set of requirements. AppSec best practices for the cloud […]

READ MORE
Cybersecurity
March 15, 2022 7 min to read

Secure Software Summit: The State of OSS Supply Chain Sec...

  The Open Source Software (OSS) Supply Chain is under attack. As evidenced by the recent Log4Shell vulnerability, the OSS supply chain is increasingly a focus for attackers seeking to exploit weak links in security. A number of research reports have recorded a significant increase in so-called “next-gen software supply chain attacks” over the past […]

READ MORE
Subscribe to newsletter
Privacy Policy Terms of Service © 2024 Qwiet. All rights reserved
Services
Company
Platform
Resources
Log In