FBI Removes Malicious Code From Microsoft Exchange Servers
‘Today’s court-authorized removal of the malicious web shells demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions,’ says Assistant AG John Demers.
The FBI has removed poisoned code from hundreds of vulnerable computers running on-premises Microsoft Exchange Server after getting authorization from a federal judge.
The operation excised one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks, according to a statement late Tuesday from the U.S. Attorney’s Office for the Southern District of Texas. The FBI’s efforts were focused on infected system owners who appeared unable to remove the web shells on their own.
“Today’s court-authorized removal of the malicious web shells demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions,” John Demers, assistant attorney general for the Justice Department’s national security division, said in a statement.
[Related: Feds Discover Additional Microsoft Exchange Vulnerabilities]
The FBI carried out its operation by issuing a command through the hacker-inserted web shell to the server, which prompted the server to delete only the web shell as identified by its unique file path. The web shells removed by the FBI each had a unique file path and name, which authorities said might have made it more challenging for individual server owners to detect and eliminate them.
“Our successful action should serve as a reminder to malicious cyber actors that we will impose risk and consequences for cyber intrusions that threaten the national security and public safety of the American people and our international partners,” Tonya Ugoretz, acting assistant director of the FBI’s Cyber Division, said in a statement.
Despite efforts by Microsoft and other industry partners throughout March to help victims identify and mitigate the Exchange server vulnerabilities, hundreds of web shells remained on U.S.-based computers running Exchange software at the end of March, according to the U.S. Attorney’s Office. Victims were using on-premises versions of Exchange to provide enterprise-level email service.
Prior to that point, authorities said many infected system owners had on their own successfully removed the malicious web shells from thousands of computers. The web shells provided backdoor access to the victim’s servers, the U.S. Attorney’s Office said.
The FBI said it’s attempting to notify all owners or operators of the computers from which it removed the hacking group’s web shells. For Microsoft Exchange victims with publicly available contact information, the FBI said it’ll send an email message from an official @FBI.gov email account notifying them of the action.
For victims without publicly available contact information, the FBI said it’ll send an email message from an @FBI.gov email account to the victim’s internet service provider (ISP). The ISP will be asked by the FBI to provide notice to the victim.
The FBI’s operation didn’t patch any Microsoft Exchange Server zero-day vulnerabilities or search for additional malware or hacking tools that adversaries might have placed on victim networks. Network defenders are urged to review guidance from Microsoft and the Cybersecurity and Infrastructure Security Agency for further assistance around detecting and patching, the U.S. Attorney’s Office said.
“This court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable computers shows our commitment to use any viable resource to fight cyber criminals,” Jennifer Lowery, acting U.S. attorney of the Southern District of Texas, said in a statement. “We will continue to do so in coordination with our partners and with the court to combat the threat until it is alleviated.”