FBI deletes web shells from hundreds of compromised Microsoft Exchange servers before alerting admins

Remote-control malware wiped, deployments must still be patched


The FBI deleted web shells installed by criminals on hundreds of Microsoft Exchange servers across the United States, it was revealed on Tuesday.

The Feds were given approval by the courts to carry out the deletions, which occurred without first warning the servers' owners, following the discovery and exploitation of critical vulnerabilities in the enterprise software.

Shortly after Microsoft raised the alarm early last month over the security holes in Exchange and provided fixes for the vulnerabilities, miscreants swarmed to exploit the programming blunders and hijack unpatched installations. (Certain groups were even breaking in Exchange servers via the holes before their existence was public knowledge.)

The FBI found hundreds of such compromised deployments with backdoors installed by one cyber-gang in particular, leading to agents asking the courts to allow them to go in and delete the malicious code. The court approved the action and the document was unsealed this week, 30 days later.

The NSA logo over a US flag

NSA helps out Microsoft with critical Exchange Server vulnerability disclosures in an April shower of patches

READ MORE

“Although many infected system owners successfully removed the web shells from thousands of computers, others appeared unable to do so, and hundreds of such web shells persisted unmitigated,” the Justice Department noted in an announcement. “Today’s operation removed one early hacking group’s remaining web shells, which could have been used to maintain and escalate persistent, unauthorized access to US networks.”

The FBI deleted the shells by issuing a command through the web shell to the server “which was designed to cause the server to delete only the web shell (identified by its unique file path),” it said. Critically, however, the Feds did not touch the servers themselves and so they remain unpatched and open to infiltration.

Cybersecurity joint effort

The FBI said it will try to send emails to the operators of all the servers it discovered the web shells on, advising them how to patch their equipment.

“Today’s court-authorized removal of the malicious web shells demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions,” said assistant attorney general John Demers from the Justice Department’s National Security Division.

“Combined with the private sector’s and other government agencies’ efforts to date, including the release of detection tools and patches, we are together showing the strength that public-private partnership brings to our country’s cybersecurity.”

The action was OK'd [PDF] by a Texas court. The acting US Attorney of the Southern District of Texas, Jennifer Lowery, pitched the deletion as the sort of coordination between government and the private sector that is needed to effectively combat cybersecurity threats.

“This court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable computers shows our commitment to use any viable resource to fight cyber criminals,” she said.

“We will continue to do so in coordination with our partners and with the court to combat the threat until it is alleviated, and we can further protect our citizens from these malicious cyber breaches.” ®


Biting the hand that feeds IT © 1998–2021