CISA Updates Microsoft Exchange Advisory to Include China Chopper

US officials warn organizations of China Chopper Web shells as new data sheds light on how the Exchange Server exploits have grown.

US government officials have updated their guidance on the Microsoft Exchange Server flaws to include seven China Chopper Web shells linked to successful attacks against vulnerable servers.
The Department of Homeland Securitys Cybersecurity & Infrastructure Security Agency (CISA) has provided ongoing updates to its Mitigate Microsoft Exchange Server Vulnerabilities
webpage
since Microsoft released out-of-band security updates for four Exchange Server flaws on March 2. In the following weeks, attackers have begun to
scan for and exploit
the bugs in target organizations around the world.
On March 13, CISA updated its guidance to provide seven Malware Analysis Reports (MARs), each of which identifies a China Chopper Web shell associated with vulnerability exploitation in Microsoft Exchange Servers. After an attacker successfully exploits a target server to gain initial access in these intrusions, they typically upload a Web shell to enable remote administration.
Web shells serve several purposes in cyberattacks. Beyond achieving remote admin, attackers can use these to exfiltrate sensitive data and credentials or upload additional malware to further their activity on the network. Web shells can be used to issue commands to hosts inside the network without direct Internet access, or they can be used as command-and-control infrastructure — example, as a botnet or as support to compromise more external networks.
China Chopper is a Web shell widely observed in these ongoing attacks by
Cynet
, Palo Alto Networks
Unit 42
,
Red Canary
, and other security companies watching the threat. Its a lightweight, one-line script that has been used by several attack groups in recent years.
Researchers with SecurityScorecard observed two types of China Chopper in these recent attacks, they explain in
a blog post
. The second, they say, seems to indicate an evolution in the attack techniques — perhaps to ensure the file name isnt exposed in the Offline Address Book (OAB) file, to let attackers upload multiple files, or to let them randomly create a file name.
The fact that China Chopper is a tool used by certain [advanced persistent threat] groups and the fact that China Chopper was specifically used to attack the vulnerable Microsoft services leads us to believe that additional APT groups are targeting these vulnerabilities, Cynet
researchers report
. It has become clear that several groups are exploiting these flaws, some
before a patch was released
.
CISA and some private firms tracking the attacks note that China Chopper is not the only Web shell in use. SecurityScorecard found other Web shell code designed to check if security tools from FireEye, CrowdStrike, and Carbon Black were present on a network, a sign that attackers may be collecting intelligence to learn about target environments and attempt to deploy more malware.
In addition to the MARs published over the weekend, CISA has also added information on the ransomware activity tied to the exploitation of vulnerable Exchange servers. Microsoft last week said
its tracking
a form of ransomware called DearCry targeting compromised servers.
Attacks Grow Tenfold, Researchers Report
As analysts continue to track and report on these attacks, a larger picture has emerged of where these flaws are being exploited and how fast the activity is growing. Check Point Research
has observed
the number of attempted attacks quickly grow from 700 on March 11, 2021, to more than 7,200 on March 15.
The most heavily targeted country is the United States, which accounts for 17% of all exploit attempts, followed by Germany (6%), the United Kingdom (5%), the Netherlands (5%), and Russia (4%). Government and military is the most targeted sector, at 23% of all attempts, followed by manufacturing (15%), banking and financial services (14%), software vendors (7%), and healthcare (6%).
It remains unclear just how many organizations have been targeted with these exploits. ESET researchers
have detected
Web shells on more than 5,000 email servers as of March 10; so far, high-profile victims include the
Norwegian Parliament
and the
European Banking Authority
. Some
reports indicate
as many as 30,000 organizations in the US could potentially be affected.
Patching is underway, but vulnerable businesses still have work to do. In an update published March 12,
Microsoft reported
about 82,000 Exchange servers need to be updated. This marks a significant drop from its count of more than 100,000 vulnerable servers on March 9.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
CISA Updates Microsoft Exchange Advisory to Include China Chopper