US officials warn organizations of China Chopper Web shells as new data sheds light on how the Exchange Server exploits have grown.

Kelly Sheridan, Former Senior Editor, Dark Reading

March 15, 2021

4 Min Read

US government officials have updated their guidance on the Microsoft Exchange Server flaws to include seven China Chopper Web shells linked to successful attacks against vulnerable servers.

The Department of Homeland Security's Cybersecurity & Infrastructure Security Agency (CISA) has provided ongoing updates to its Mitigate Microsoft Exchange Server Vulnerabilities webpage since Microsoft released out-of-band security updates for four Exchange Server flaws on March 2. In the following weeks, attackers have begun to scan for and exploit the bugs in target organizations around the world.

On March 13, CISA updated its guidance to provide seven Malware Analysis Reports (MARs), each of which identifies a China Chopper Web shell associated with vulnerability exploitation in Microsoft Exchange Servers. After an attacker successfully exploits a target server to gain initial access in these intrusions, they typically upload a Web shell to enable remote administration.

Web shells serve several purposes in cyberattacks. Beyond achieving remote admin, attackers can use these to exfiltrate sensitive data and credentials or upload additional malware to further their activity on the network. Web shells can be used to issue commands to hosts inside the network without direct Internet access, or they can be used as command-and-control infrastructure — example, as a botnet or as support to compromise more external networks.

China Chopper is a Web shell widely observed in these ongoing attacks by Cynet, Palo Alto Networks' Unit 42, Red Canary, and other security companies watching the threat. It's a lightweight, one-line script that has been used by several attack groups in recent years.

Researchers with SecurityScorecard observed two types of China Chopper in these recent attacks, they explain in a blog post. The second, they say, seems to indicate an evolution in the attack techniques — perhaps to ensure the file name isn't exposed in the Offline Address Book (OAB) file, to let attackers upload multiple files, or to let them randomly create a file name.

"The fact that China Chopper is a tool used by certain [advanced persistent threat] groups and the fact that China Chopper was specifically used to attack the vulnerable Microsoft services leads us to believe that additional APT groups are targeting these vulnerabilities," Cynet researchers report. It has become clear that several groups are exploiting these flaws, some before a patch was released.

CISA and some private firms tracking the attacks note that China Chopper is not the only Web shell in use. SecurityScorecard found other Web shell code designed to check if security tools from FireEye, CrowdStrike, and Carbon Black were present on a network, a sign that attackers may be collecting intelligence to learn about target environments and attempt to deploy more malware.

In addition to the MARs published over the weekend, CISA has also added information on the ransomware activity tied to the exploitation of vulnerable Exchange servers. Microsoft last week said it's tracking a form of ransomware called DearCry targeting compromised servers.

Attacks Grow Tenfold, Researchers Report
As analysts continue to track and report on these attacks, a larger picture has emerged of where these flaws are being exploited and how fast the activity is growing. Check Point Research has observed the number of attempted attacks quickly grow from 700 on March 11, 2021, to more than 7,200 on March 15.

The most heavily targeted country is the United States, which accounts for 17% of all exploit attempts, followed by Germany (6%), the United Kingdom (5%), the Netherlands (5%), and Russia (4%). Government and military is the most targeted sector, at 23% of all attempts, followed by manufacturing (15%), banking and financial services (14%), software vendors (7%), and healthcare (6%).

It remains unclear just how many organizations have been targeted with these exploits. ESET researchers have detected Web shells on more than 5,000 email servers as of March 10; so far, high-profile victims include the Norwegian Parliament and the European Banking Authority. Some reports indicate as many as 30,000 organizations in the US could potentially be affected.

Patching is underway, but vulnerable businesses still have work to do. In an update published March 12, Microsoft reported about 82,000 Exchange servers need to be updated. This marks a significant drop from its count of more than 100,000 vulnerable servers on March 9.

About the Author(s)

Kelly Sheridan

Former Senior Editor, Dark Reading

Kelly Sheridan was formerly a Staff Editor at Dark Reading, where she focused on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial services. Sheridan earned her BA in English at Villanova University. You can follow her on Twitter @kellymsheridan.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights