A web shell, a form of computer malware, was found on a city email server on March 2, exposing Baltimore’s government to a potential security breach, The Brew has learned.
The web shell apparently was not executed by the attackers, which would have allowed them to run commands in order to steal data or to use their access as a launch pad for credential theft, hands-on keyboard activity and other mischief.
Two years ago, much of Baltimore’s computer system was infected with the ransomware variant RobbinHood, which hobbled water billing, real estate property transfers and other government functions, requiring several months to fully restore.
The latest potential breach in web security was disclosed by a spending item before today’s Board of Estimates.
It authorizes an emergency payment of $32,400 to Virginia-based Carahsoft Technology Corp. to review whether the web shell had caused any lasting damage to the city’s email network.
UPDATE – The mayor’s office released the following in response to The Brew’s questions about the web shell: “There was no cyberattack. BCIT [Baltimore City Office of Information and Technology] found and removed malware or malicious software from a server and brought in external security expertise to ensure, as a precaution, that BCIT’s analysis, findings and actions were appropriate.”
Web shell attacks have exploded in recent years, with an average of 140,000 monthly “encounters” worldwide in the second half of 2020, according to recent data from Microsoft.
A year ago, Microsoft was detecting an average of 77,000 web shells per month.
A web shell is typically a small piece of malicious code that attackers implant on vulnerable servers.
The shell can remotely execute code or commands to steal data, upload, download and delete files, and deliver additional malicious payloads to the server.
An IT expert, who asked not to be publicly identified, expressed surprise today that an exchange server is still found in the city’s system.
“Why do they still have exchange servers rather than Microsoft Office 365, which is the cloud-based version that is more secure and which virtually everybody uses?”
After the May 7, 2019 RobbinHood attack, the city promised to harden its servers against attacks attempting to install malware.