FBI removes web shells from compromised Exchange servers
Authorities step in to thwart attacks leveraging the recently-disclosed Microsoft Exchange Server vulnerabilities
The United States’ Federal Bureau of Investigation (FBI) has carried out a court-approved operation to “copy and remove” malicious web shells from hundreds of systems across the US that were compromised through the mass exploitation of zero-day flaws in Microsoft Exchange Server earlier this year.
The Department of Justice (DoJ) said that many IT admins have since cleansed their systems of the malicious web shells, which were used for backdoor access to the servers. However, other systems “persisted unmitigated”, which is where the operation came in.
“This operation removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks. The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path),” said the DoJ. In the meantime, the Bureau is contacting the owners of the computers that they accessed to notify them of the removal of the malware.
The move came after Microsoft disclosed a large-scale campaign exploiting security loopholes in internet-facing Microsoft Exchange servers. The vulnerabilities, which were patched via an out-of-band update, were being exploited to access servers running on-premises versions of the software and allowed threat actors to steal emails, download data, and compromise the machines with backdoors for long-term access to the networks. Within days, ESET research found that multiple APT groups had been targeting the vulnerabilities, and there are also mounting concerns about threat actors dropping ransomware, among other threats, on vulnerable systems.
The DoJ hailed the FBI’s operation as a success, but pointed out that, beyond the web shells, the FBI didn’t search for any other malicious activity or hacking tools on the affected systems, nor did it implement the patches. The patching and detection have been left to network administrators, who were strongly urged to apply guidance from Microsoft and the joint advisory issued by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA).
Assistant Attorney General John C. Demers said that the operation “demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions.” Meanwhile, Acting Assistant Director Tonya Ugoretz, issued a stark warning to cybercriminals: “Our successful action should serve as a reminder to malicious cyber actors that we will impose risk and consequences for cyber intrusions that threaten the national security and public safety of the American people and our international partners.”