A court order has authorized an FBI operation to remove Web shells deployed on machines running on-premises versions of Microsoft Exchange Server, the Justice Department reports.
As part of the operation, which authorized the activity for email servers in the United States, the FBI copied and removed "one early hacking group's remaining web shells" from affected targets. The Web shells could have been used to maintain and increase unauthorized access to networks if left on the compromised machine, say officials, who call the operation "successful."
News of the operation arrives roughly six weeks after Microsoft disclosed critical Exchange Server flaws that have since been used to target thousands of networks around the world. An attacker could leverage the vulnerabilities to break into an unpatched server and steal its data.
At the time it released patches, Microsoft identified one group behind the activity as Hafnium, a state-sponsored group operating out of China. However, many more groups have also begun to use these vulnerabilities to deploy ransomware or cryptomining attacks, among other activity.
Many organizations rushed to patch the bugs: On March 24, Microsoft reported 92% of global Exchange IPs had been patched. But while applying a patch will prevent future compromise, it won't remove malicious code already present on a machine. Court documents unsealed today cite open source reporting that states there may be at least 60,000 global Microsoft customers whose Exchange Servers were compromised using the vulnerabilities.
These attacks often start with deploying a Web shell, which attackers can use to communicate with target machines and distribute files to infect them with additional malware. A public scan revealed Web shells were still present on target servers. The court did not disclose an exact numbers; however, a Justice Department release published this week says hundreds of Web shells persisted unmitigated on computers in the US and likely wouldn't be removed.
"Based on my training and experience, most of these victims are unlikely to remove the remaining web shells because the web shells are difficult to find due to their unique file names and paths or because the victims lack the technical ability to remove them on their own," an FBI special agent (name redacted) wrote in the warrant application.
The warrant granted the FBI authorization to search compromised Microsoft Exchange Servers and uninstall the Web shells present on them to prevent further attack activity.
In the court documents, officials explain that FBI personnel accessed the Web shells, entered passwords, made a copy of the Web shell, and then issued a command through each of the Web shells to the servers, instructing them to delete the Web shell from the target computer. In a test process, the command deleted a Web shell but didn't affect other files or services on a device. Officials note this process also did not patch any of the Exchange Server zero-days.
"Although today's operation was successful in copying and removing those web shells, it did not patch any Microsoft Exchange Server zero-day vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks by exploiting web shells," the statement says.
The FBI is now attempting to contact owners or operators of the machines from which it removed malicious Web shells. Those with publicly available contact information will receive an email message from an official FBI.gov email address. For those whose contact data is not public, the FBI will attempt to contact providers to provide notice.
Attacks targeting the Exchange Server vulnerabilities are ongoing, posing a significant challenge to defenders. Officials encourage admins to review Microsoft's remediation guidance for more details on detection, remediation, and patching.
News of the FBI operation arrives one day after Microsoft patched four more critical Microsoft Exchange Server vulnerabilities. All of these were discovered by the National Security Agency and affect Exchange Server versions 2013 through 2019. Two have a CVSS score of 9.8, higher than those of the zero-day vulnerabilities patched last month, and have a "network" attack vector, meaning they likely are wormable — at least between Exchange Servers.