Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

04:20 PM
Connect Directly

CISA Updates Microsoft Exchange Advisory to Include China Chopper

US officials warn organizations of China Chopper Web shells as new data sheds light on how the Exchange Server exploits have grown.

US government officials have updated their guidance on the Microsoft Exchange Server flaws to include seven China Chopper Web shells linked to successful attacks against vulnerable servers.

Related Content:

Microsoft Exchange Server Attacks: 9 Lessons for Defenders

Special Report: How IT Security Organizations Are Attacking the Cybersecurity Problem

New From The Edge: Contemplating the Coffee Supply Chain: A Horror Story

The Department of Homeland Security's Cybersecurity & Infrastructure Security Agency (CISA) has provided ongoing updates to its Mitigate Microsoft Exchange Server Vulnerabilities webpage since Microsoft released out-of-band security updates for four Exchange Server flaws on March 2. In the following weeks, attackers have begun to scan for and exploit the bugs in target organizations around the world.

On March 13, CISA updated its guidance to provide seven Malware Analysis Reports (MARs), each of which identifies a China Chopper Web shell associated with vulnerability exploitation in Microsoft Exchange Servers. After an attacker successfully exploits a target server to gain initial access in these intrusions, they typically upload a Web shell to enable remote administration.

Web shells serve several purposes in cyberattacks. Beyond achieving remote admin, attackers can use these to exfiltrate sensitive data and credentials or upload additional malware to further their activity on the network. Web shells can be used to issue commands to hosts inside the network without direct Internet access, or they can be used as command-and-control infrastructure — example, as a botnet or as support to compromise more external networks.

China Chopper is a Web shell widely observed in these ongoing attacks by Cynet, Palo Alto Networks' Unit 42, Red Canary, and other security companies watching the threat. It's a lightweight, one-line script that has been used by several attack groups in recent years.

Researchers with SecurityScorecard observed two types of China Chopper in these recent attacks, they explain in a blog post. The second, they say, seems to indicate an evolution in the attack techniques — perhaps to ensure the file name isn't exposed in the Offline Address Book (OAB) file, to let attackers upload multiple files, or to let them randomly create a file name.

"The fact that China Chopper is a tool used by certain [advanced persistent threat] groups and the fact that China Chopper was specifically used to attack the vulnerable Microsoft services leads us to believe that additional APT groups are targeting these vulnerabilities," Cynet researchers report. It has become clear that several groups are exploiting these flaws, some before a patch was released.

CISA and some private firms tracking the attacks note that China Chopper is not the only Web shell in use. SecurityScorecard found other Web shell code designed to check if security tools from FireEye, CrowdStrike, and Carbon Black were present on a network, a sign that attackers may be collecting intelligence to learn about target environments and attempt to deploy more malware.

In addition to the MARs published over the weekend, CISA has also added information on the ransomware activity tied to the exploitation of vulnerable Exchange servers. Microsoft last week said it's tracking a form of ransomware called DearCry targeting compromised servers.

Attacks Grow Tenfold, Researchers Report
As analysts continue to track and report on these attacks, a larger picture has emerged of where these flaws are being exploited and how fast the activity is growing. Check Point Research has observed the number of attempted attacks quickly grow from 700 on March 11, 2021, to more than 7,200 on March 15.

The most heavily targeted country is the United States, which accounts for 17% of all exploit attempts, followed by Germany (6%), the United Kingdom (5%), the Netherlands (5%), and Russia (4%). Government and military is the most targeted sector, at 23% of all attempts, followed by manufacturing (15%), banking and financial services (14%), software vendors (7%), and healthcare (6%).

It remains unclear just how many organizations have been targeted with these exploits. ESET researchers have detected Web shells on more than 5,000 email servers as of March 10; so far, high-profile victims include the Norwegian Parliament and the European Banking Authority. Some reports indicate as many as 30,000 organizations in the US could potentially be affected.

Patching is underway, but vulnerable businesses still have work to do. In an update published March 12, Microsoft reported about 82,000 Exchange servers need to be updated. This marks a significant drop from its count of more than 100,000 vulnerable servers on March 9.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: click on all the semaphores 
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-22
HashiCorp Vault and Vault Enterprise Cassandra integrations (storage backend and database secrets engine plugin) did not validate TLS certificates when connecting to Cassandra clusters. Fixed in 1.6.4 and 1.7.1
PUBLISHED: 2021-04-22
HashiCorp Vault and Vault Enterprise 1.5.1 and newer, under certain circumstances, may exclude revoked but unexpired certificates from the CRL. Fixed in 1.5.8, 1.6.4, and 1.7.1.
PUBLISHED: 2021-04-22
HashiCorp Terraform’s Vault Provider (terraform-provider-vault) did not correctly configure GCE-type bound labels for Vault’s GCP auth method. Fixed in 2.19.1.
PUBLISHED: 2021-04-22
Bad validation logic in the Dart SDK versions prior to 2.12.3 allow an attacker to use an XSS attack via DOM clobbering. The validation logic in dart:html for creating DOM nodes from text did not sanitize properly when it came across template tags.
PUBLISHED: 2021-04-22
FusionAuth fusionauth-samlv2 before 0.5.4 allows XXE attacks via a forged AuthnRequest or LogoutRequest because parseFromBytes uses javax.xml.parsers.DocumentBuilderFactory unsafely.