On March 2, 2021, Microsoft released out-of-band patches for on-premises Microsoft Exchange Servers and described targeted exploitation by the likely China-based HAFNIUM threat group to steal data. Related reporting indicates that the campaign has been ongoing since at least January 2021. Organizations with vulnerable systems should apply these updates as soon as possible.
Secureworks® Counter Threat Unit™ (CTU) researchers observed elements of this campaign across our customer base. On March 1, our endpoint telemetry identified China Chopper web shells on Exchange Servers at approximately a dozen clients. We had detected similar activity affecting a smaller number of customers in February. China Chopper is a widely available web shell that has been used since at least 2013 and is relatively easily detected by endpoint controls.
This combination of exploitation technique and use of China Chopper made this activity particularly puzzling. Exploits for vulnerabilities that do not have a patch (also known as 'zero-days') are rare. Most government-sponsored actors avoid using zero-days because they don't need to. Zero-days affecting Exchange are even rarer and are incredibly valuable because unauthenticated remote code execution on mail servers is a very bad thing. It was therefore surprising that the threat actors 'burned' valuable exploits by executing malware that would be quickly detected by many security vendors.
So why do it?
It is always risky to make assumptions or attempt to rationalize the actions of threat actors who are operating in an unknown operational and cultural context. The most plausible hypothesis in this case is that the threat actors leveraging these exploits knew that their operations had been exposed and that the vulnerabilities they were exploiting were about to get patched. They may have leveraged these exploits for one last mass compromise, using malware that they were intimately familiar with, before organizations started to remove the vulnerability. This scenario also suggests that victims who were compromised earlier were likely higher priority targets. In those compromises, the threat actors likely used stealthier tactics for persistent access and data exfiltration.
Secureworks CTU™ researchers and incident responders continue to work together to understand the risk to our customers and better understand the threat actors' actions and intent.
Organizations should apply security updates and follow the mitigation advice published by Microsoft, including checking for configuration changes to VirtualDirectory properties. Applying layered controls that assume prevention will fail is the best proactive defense, as these security controls will likely detect threat actor activity before significant harm occurs.