The Federal Bureau of Investigation (FBI) has removed malicious web shells from hundreds of corporate servers in at least 8 states without the knowledge or permission of the owners of the servers.
The web shells were installed on corporate Exchange Servers that had previously been compromised by Advanced Persistent Threat (APT) groups by exploiting the ProxyLogon Microsoft Exchange Server vulnerabilities. It has been more than a month since patches to correct the flaws were released and organizations were first warned that the vulnerabilities were being exploited by the Hafnium APT group. In the days that followed, almost a dozen other APT groups started exploiting the flaws.
There are four ProxyLogon Microsoft Exchange Server vulnerabilities, tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, which can be chained together to achieve remote code execution and take full control of vulnerable on-premises Exchange Servers. Once access to the servers has been gained, email communications can be intercepted and mailboxes exfiltrated. Web shells were deployed to give the attackers persistent access for conducting further attacks. Around 68,000 Exchange Servers worldwide are thought to have been compromised.
By the time many organizations applied the patches it was too late as the APT groups had already gained access to the servers and deployed their web shells. Many organizations successfully removed the web shells, but others were either unaware they existed or were unable to remove them, which left hundreds of web shells installed and unmitigated.
To address the problem, the FBI went to the U.S. District Court for the Southern District of Texas in Houston for a search warrant application, which was approved to give the FBI the authority to remove the web shells.
“This operation removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks. The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path),” explained the Department of Justice. The operation will continue to run until April 23, 2021. While permission was not obtained from the companies in question, the FBI is attempting to notify them.
This is thought to be the first time that the courts have approved such an action since the Federal Rules of Criminal Procedure were updated in 2016. Rule 41 was changed to allow action to be taken to remove malware on computers that had been added to botnets to help with the cleanup operation.
“This court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable computers shows our commitment to use any viable resource to fight cyber criminals,” said Acting U.S. Attorney Jennifer B. Lowery of the Southern District of Texas.