Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

3/15/2021
04:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

CISA Updates Microsoft Exchange Advisory to Include China Chopper

US officials warn organizations of China Chopper Web shells as new data sheds light on how the Exchange Server exploits have grown.

US government officials have updated their guidance on the Microsoft Exchange Server flaws to include seven China Chopper Web shells linked to successful attacks against vulnerable servers.

Related Content:

Microsoft Exchange Server Attacks: 9 Lessons for Defenders

Special Report: How IT Security Organizations Are Attacking the Cybersecurity Problem

New From The Edge: Contemplating the Coffee Supply Chain: A Horror Story

The Department of Homeland Security's Cybersecurity & Infrastructure Security Agency (CISA) has provided ongoing updates to its Mitigate Microsoft Exchange Server Vulnerabilities webpage since Microsoft released out-of-band security updates for four Exchange Server flaws on March 2. In the following weeks, attackers have begun to scan for and exploit the bugs in target organizations around the world.

On March 13, CISA updated its guidance to provide seven Malware Analysis Reports (MARs), each of which identifies a China Chopper Web shell associated with vulnerability exploitation in Microsoft Exchange Servers. After an attacker successfully exploits a target server to gain initial access in these intrusions, they typically upload a Web shell to enable remote administration.

Web shells serve several purposes in cyberattacks. Beyond achieving remote admin, attackers can use these to exfiltrate sensitive data and credentials or upload additional malware to further their activity on the network. Web shells can be used to issue commands to hosts inside the network without direct Internet access, or they can be used as command-and-control infrastructure — example, as a botnet or as support to compromise more external networks.

China Chopper is a Web shell widely observed in these ongoing attacks by Cynet, Palo Alto Networks' Unit 42, Red Canary, and other security companies watching the threat. It's a lightweight, one-line script that has been used by several attack groups in recent years.

Researchers with SecurityScorecard observed two types of China Chopper in these recent attacks, they explain in a blog post. The second, they say, seems to indicate an evolution in the attack techniques — perhaps to ensure the file name isn't exposed in the Offline Address Book (OAB) file, to let attackers upload multiple files, or to let them randomly create a file name.

"The fact that China Chopper is a tool used by certain [advanced persistent threat] groups and the fact that China Chopper was specifically used to attack the vulnerable Microsoft services leads us to believe that additional APT groups are targeting these vulnerabilities," Cynet researchers report. It has become clear that several groups are exploiting these flaws, some before a patch was released.

CISA and some private firms tracking the attacks note that China Chopper is not the only Web shell in use. SecurityScorecard found other Web shell code designed to check if security tools from FireEye, CrowdStrike, and Carbon Black were present on a network, a sign that attackers may be collecting intelligence to learn about target environments and attempt to deploy more malware.

In addition to the MARs published over the weekend, CISA has also added information on the ransomware activity tied to the exploitation of vulnerable Exchange servers. Microsoft last week said it's tracking a form of ransomware called DearCry targeting compromised servers.

Attacks Grow Tenfold, Researchers Report
As analysts continue to track and report on these attacks, a larger picture has emerged of where these flaws are being exploited and how fast the activity is growing. Check Point Research has observed the number of attempted attacks quickly grow from 700 on March 11, 2021, to more than 7,200 on March 15.

The most heavily targeted country is the United States, which accounts for 17% of all exploit attempts, followed by Germany (6%), the United Kingdom (5%), the Netherlands (5%), and Russia (4%). Government and military is the most targeted sector, at 23% of all attempts, followed by manufacturing (15%), banking and financial services (14%), software vendors (7%), and healthcare (6%).

It remains unclear just how many organizations have been targeted with these exploits. ESET researchers have detected Web shells on more than 5,000 email servers as of March 10; so far, high-profile victims include the Norwegian Parliament and the European Banking Authority. Some reports indicate as many as 30,000 organizations in the US could potentially be affected.

Patching is underway, but vulnerable businesses still have work to do. In an update published March 12, Microsoft reported about 82,000 Exchange servers need to be updated. This marks a significant drop from its count of more than 100,000 vulnerable servers on March 9.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...