Webshells Observed in Post-Compromised Exchange Servers
Cybersecurity and Infrastructure Security Agency sent this bulletin at 03/25/2021 12:08 PM EDT
You are subscribed to no topic for Cybersecurity and Infrastructure Security Agency. This information has recently been updated, and is now available.
CISA has added two new Malware Analysis Reports (MARs) to Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities. Each new MAR (AR21-084A and AR21-084B) identifies a webshell observed in post-compromised Microsoft Exchange Servers. After successful exploiting a Microsoft Exchange Server vulnerability for initial accesses, a malicious cyber actor can upload a webshell to enable remote administration of the affected system.
CISA has also updated seven previously released MARs. The updated MARs now include CISA-developed YARA rules to help network defenders detect associated malware.
CISA encourages users and administrators to review the following resources for more information:
- CISA Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities
- MAR-10328877-1.v1: China Chopper Webshell
- MAR-10328923-1.v1: China Chopper Webshell
- MAR-10329107-1.v1: China Chopper Webshell
- MAR-10329297-1.v1: China Chopper Webshell
- MAR-10329298-1.v1: China Chopper Webshell
- MAR-10329301-1.v1: China Chopper Webshell
- MAR-10329494-1.v1: China Chopper Webshell
- MAR-10329499-1.v1: China Chopper Webshell
- MAR-10329496-1.v1: China Chopper Webshell
- CISA web page Remediating Microsoft Exchange Vulnerabilities
- CISA web page Ransomware Guidance and Resources
This product is provided subject to this Notification and this Privacy & Use policy.