Security News > 2021 > April > FBI Agents Secretly Deleted Web Shells From Hacked Microsoft Exchange Servers
FBI agents executed a court-authorized cyber operation to delete malicious web shells from hundreds of previously hacked Microsoft Exchange servers in the United States, unbeknownst to their owners, the U.S. Department of Justice said Tuesday.
After a wave of major in-the-wild zero-day attacks against Exchange Server installations that occurred globally in January, savvy organizations scrambled to lock down vulnerable Microsoft email servers and remove web shells that were installed by attackers.
In what appears to be the first known operation of its kind, the FBI "Removed one early hacking group's remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks."
According to court documents, FBI agents removed the web shells by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell.
"Because the web shells the FBI removed each had a unique file path and name, they may have been more challenging for individual server owners to detect and eliminate than other web shells," the DoJ explained.
While FBI agents copied and removed web shells that provided attackers with backdoor access to servers, organizations may not be in the clear.
News URL
Related news
- Microsoft: Exchange 2016 reaches extended end of support in October (source)
- FBI disrupts the Dispossessor ransomware operation, seizes servers (source)
- FBI Shuts Down Dispossessor Ransomware Group's Servers Across U.S., U.K., and Germany (source)
- Windows Server August updates fix Microsoft 365 Defender issue (source)
- Microsoft: August updates cause Windows Server boot issues, freezes (source)
- Microsoft: Exchange Online mistakenly tags emails as malware (source)
- FBI Cracks Down on Dark Web Marketplace Managed by Russian and Kazakh Nationals (source)
- Microsoft fixes Windows Server performance issues from August updates (source)
- FBI tells public to ignore false claims of hacked voter data (source)
- Russian security firm Dr.Web disconnects all servers after breach (source)