FBI removed web shells from vulnerable Microsoft Exchange servers without informing owners

FBI removed web shells

The US Department of Justice reported that a court in early April granted the FBI special powers and the bureau removed web shells previously installed by hackers on vulnerable Exchange servers in the United States. The FBI also had the power to remove other malware (without notification of the server owners).

The FBI did not say how many web shells were removed, but “the operation was successful”

FBI removed web shells
The warrant

Let me remind you that the root of the problem lies in the fact that in early March 2021, Microsoft engineers released unscheduled patches for four vulnerabilities, which the researchers gave the general name ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065).

These vulnerabilities can be chained together and exploited to allow an attacker to authenticate on the Exchange server, gain administrator rights, install malware, and steal data. As a result, attacks on vulnerable servers were carried out by more than 10 hacker groups, deploying web shells, miners and ransomware on the servers.

According to the US authorities and information security experts, Chinese “government” hackers actively used ProxyLogon bugs back in January and February 2021, and after the vulnerabilities were made public, other criminals also joined them.

As reported now, some of these web shells were not properly secured and reused the same password. The FBI officers took advantage of this circumstance to remove the malware.

Today’s court-sanctioned deletion of malicious web shells demonstrates the Justice Department’s commitment to suppress hacking by using all available legal tools, not just prosecution.the Justice Department said.

It is emphasized that during the operation, the FBI did not patch vulnerable Exchange servers and did not try to detect and remove other malicious programs that could have been installed on the system using web shells.

Based on my training and experience, most victims are unlikely to delete the remaining web shells on their own, because they are difficult to find due to the unique file names and paths, and because the victims do not have the technical ability to delete them on their own.An FBI official said under oath when the Bureau asked the court for a warrant.

The FBI is currently notifying victims whose Exchange servers were compromised and discovered during the operation.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *