Scans for EncystPHP Webshell, (Mon, Apr 13th)

Security researchers have identified active scanning campaigns targeting the EncystPHP webshell, a malicious tool increasingly favored by threat actors compromising vulnerable FreePBX systems. Unlike previous campaigns relying on default or weak credentials, attackers are now deploying instances with complex, difficult-to-guess credentials to evade detection. This shift indicates a maturation in tactics aimed at maintaining persistent access within compromised environments. Fortinet previously documented this webshell in January, highlighting its relevance in current threat landscapes. Organizations utilizing FreePBX should prioritize patching known vulnerabilities and monitoring for unauthorized webshell activity. Enhanced authentication mechanisms and network segmentation are recommended to mitigate the risk of unauthorized command and control access. Continuous monitoring for scanning activity related to EncystPHP is essential for early detection and response against these evolving intrusion attempts.

Last week, I wrote about attackers scanning for various webshells, hoping to find some that do not require authentication or others that use well-known credentials. But some attackers are paying attention and are deploying webshells with more difficult-to-guess credentials. Today, I noticed some scans for what appears to be the "EncystPHP" web shell. Fortinet wrote about this webshell back in January. It appears to be a favorite among attackers compromising vulnerable FreePBX systems.

Security researchers have identified active scanning campaigns targeting the EncystPHP webshell, a malicious tool increasingly favored by threat actors compromising vulnerable FreePBX systems. Unlike previous campaigns relying on default or weak credentials, attackers are now deploying instances with complex, difficult-to-guess credentials to evade detection. This shift indicates a maturation in tactics aimed at maintaining persistent access within compromised environments. Fortinet previously documented this webshell in January, highlighting its relevance in current threat landscapes. Organizations utilizing FreePBX should prioritize patching known vulnerabilities and monitoring for unauthorized webshell activity. Enhanced authentication mechanisms and network segmentation are recommended to mitigate the risk of unauthorized command and control access. Continuous monitoring for scanning activity related to EncystPHP is essential for early detection and response against these evolving intrusion attempts. Last week, I wrote about attackers scanning for various webshells, hoping to find some that do not require authentication or others that use well-known credentials. But some attackers are paying attention and are deploying webshells with more difficult-to-guess credentials. Today, I noticed some scans for what appears to be the "EncystPHP" web shell. Fortinet wrote about this webshell back in January. It appears to be a favorite among attackers compromising vulnerable FreePBX systems. Last week, I wrote about attackers scanning for various webshells, hoping to find some that do not require authentication or others that use well-known credentials. But some attackers are paying attention and are deploying webshells with more difficult-to-guess credentials. Today, I noticed some scans for what appears to be the "EncystPHP" web shell. Fortinet wrote about this webshell back in January. It appears to be a favorite among attackers compromising vulnerable FreePBX systems.