Scans for EncystPHP Webshell, (Mon, Apr 13th)

Attackers are actively scanning for the EncystPHP webshell, which is particularly favored for compromising vulnerable FreePBX VoIP systems. Unlike previous opportunistic webshell deployments requiring no authentication, threat actors are now utilizing webshells with stronger, harder-to-guess credentials. The scanning activity suggests ongoing reconnaissance efforts to identify and exploit susceptible systems. Organizations running FreePBX should ensure patches are current, monitor for unauthorized webshell deployments, and implement strong access controls to mitigate risk. The use of advanced webshell credentials indicates a shift toward more sophisticated attack methodologies targeting VoIP infrastructure.

Last week, I wrote about attackers scanning for various webshells, hoping to find some that do not require authentication or others that use well-known credentials. But some attackers are paying attention and are deploying webshells with more difficult-to-guess credentials. Today, I noticed some scans for what appears to be the "EncystPHP" web shell. Fortinet wrote about this webshell back in January. It appears to be a favorite among attackers compromising vulnerable FreePBX systems.

Attackers are actively scanning for the EncystPHP webshell, which is particularly favored for compromising vulnerable FreePBX VoIP systems. Unlike previous opportunistic webshell deployments requiring no authentication, threat actors are now utilizing webshells with stronger, harder-to-guess credentials. The scanning activity suggests ongoing reconnaissance efforts to identify and exploit susceptible systems. Organizations running FreePBX should ensure patches are current, monitor for unauthorized webshell deployments, and implement strong access controls to mitigate risk. The use of advanced webshell credentials indicates a shift toward more sophisticated attack methodologies targeting VoIP infrastructure. Last week, I wrote about attackers scanning for various webshells, hoping to find some that do not require authentication or others that use well-known credentials. But some attackers are paying attention and are deploying webshells with more difficult-to-guess credentials. Today, I noticed some scans for what appears to be the "EncystPHP" web shell. Fortinet wrote about this webshell back in January. It appears to be a favorite among attackers compromising vulnerable FreePBX systems. Last week, I wrote about attackers scanning for various webshells, hoping to find some that do not require authentication or others that use well-known credentials. But some attackers are paying attention and are deploying webshells with more difficult-to-guess credentials. Today, I noticed some scans for what appears to be the "EncystPHP" web shell. Fortinet wrote about this webshell back in January. It appears to be a favorite among attackers compromising vulnerable FreePBX systems.