Image Credit: Schäferle from Pixabay.
***Updated March 13, 2021 – CISA has identified seven webshells associated with this activity. This is not an all-inclusive of webshells that are being leveraged by actors. CISA recommends organizations review the following malware analysis reports (MARs) for detailed analysis of the seven webshells, along with TTPs and IOCs.
- AR21-072A: MAR-10328877.r1.v1: China Chopper Webshell
- AR21-072B: MAR-10328923.r1.v1: China Chopper Webshell
- AR21-072C: MAR-10329107.r1.v1: China Chopper Webshell
- AR21-072D: MAR-10329297.r1.v1: China Chopper Webshell
- AR21-072E: MAR-10329298.r1.v1: China Chopper Webshell
- AR21-072F: MAR-10329301.r1.v1: China Chopper Webshell
- AR21-072G: MAR-10329494.r1.v1: China Chopper Webshell
***Updated March 12, 2021 – Check my OWA tool for checking if a system has been affected.
Earlier this month Microsoft disclosed a set of vulnerabilities in Microsoft Exchange server products. Microsoft has provided a blog post where you can find an explanation of the attack on Exchange servers, information on HAFNIUM, and more.
Check out this latest advisory from the Cybersecurity and Infrastructure Security Agency (CISA), with step-by-step instructions on how to gather evidence with FTK Imager and KAPE. The Alert includes information on how to mitigate the vulnerabilities, including tactics, techniques and procedures (TTP) and the indicators of compromise (IOCs) associated with this attack.
As of March 10, 2021, CISA recommends the following:
- Organizations should run the Test-ProxyLogon.ps1 script as soon as possible—to help determine whether their systems are compromised.
- Organizations should investigate signs of a compromise from at least January 1, 2021 through present.
Furthermore, according to Bloomberg, the Chinese state-sponsored hacking group has claimed at least 60,000 known victims globally.