A court in Houston has approved an FBI operation aimed at removing web shells from hundreds of Microsoft Exchange email servers in the United States, without first notifying their owners. The FBI operation comes just months after four hackers took advantage vulnerabilities previously undetected, to attack thousands of networks. The US Department of Justice (DoJ) announced the operation on 13 April, calling it "successful".
On March 2, Microsoft released a series of security updates to Microsoft Exchange about vulnerabilities exploited by a Chinese hacking team known as "HAFNIUM". The four vulnerabilities are collectively known as ProxyLogon and exploited by malicious agents in January and February to install web shells on compromised Exchange servers. Web shells provided remote access to servers, where hackers used them to steal email and account credentials.
In the weeks following the hack, government agencies issued instructions and Microsoft released a variety of scripts and tools to help victims identify if they had been compromised and remove web shells. At the same time, other threats have begun to exploit vulnerabilities in Microsoft Exchange, targeting install ransomware, cryptominers and other web shells.
In a U.S. Department of Justice (DoJ) press release released April 13, the FBI said it used a search warrant to gain access to Exchange servers vulnerable to breaches, copy web shells as evidence, and then , remove web shells from servers.
The FBI requested this warrant because it believed that web server owners who were still vulnerable to infringement did not have the technical ability to remove them themselves and that web shells posed a significant risk to victims. Specifically, the police service reported the following: "Based on our training and experience, most of these victims are unlikely to remove the remaining web shells because the web shells are difficult to detect because of their unique filenames and paths or because the victims do not have the technical ability to remove them themselves. "
Concerned that notifying the owners of these servers could put the business in jeopardy, the FBI requested that the warrant be sealed and that notification of the warrant be delayed until the business was completed. The FBI asked the Court for approval to delay the notification until May 9, 2021, 30 days from the first possible execution date of April 9, 2021, or until the FBI determines that there is no longer a need for late notice. He also asked for permission to search at any time of the day to avoid being detected by threatening agents.
To clean up Microsoft Exchange servers, the FBI gained access to web shells using known passwords used by hackers, copied the web shells as evidence, and then executed an order to uninstall the web shells from them. compromised servers.
Although the DoJ described the operation as "successful", the FBI said that during the operation only the web shells were removed and no security updates were applied, nor was any other malware removed that the malicious agents may have installed on the servers.
The FBI is currently in the process of alerting victims to whom Exchange servers were accessed during the operation. The FBI will send these notifications via email from one of its official email accounts FBI.gov or if no contact information is available, it will use an Internet Service Provider (ISP) to contact the victim.
Source of information: bleepingcomputer.com