CISA has added seven Malware Analysis Reports (MARs) to Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities. Each MAR identifies a webshell associated with exploitation of the vulnerabilities in Microsoft Exchange Server products. After successful exploiting a Microsoft Exchange Server vulnerability for initial accesses, a malicious cyber actors can upload a webshell to enable remote administration of the affected system.
In addition to the MARs, CISA added information on ransomware activity associated with exploitation of the Exchange Server products, including DearCry ransomware.
CISA encourages users and administrators to review the following resources for more information.
- Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities
- MAR-10328877-1.v1: China Chopper Webshell
- MAR-10328923-1.v1: China Chopper Webshell
- MAR-10329107-1.v1: China Chopper Webshell
- MAR-10329297-1.v1: China Chopper Webshell
- MAR-10329298-1.v1: China Chopper Webshell
- MAR-10329301-1.v1: China Chopper Webshell
- MAR-10329494-1.v1: China Chopper Webshell
- CISA’s Remediating Microsoft Exchange Vulnerabilities web page
- CISA’s Ransomware Guidance and Resources web page
This product is provided subject to this Notification and this Privacy & Use policy.