Security News > 2021 > April > FBI nuked web shells from hacked Exchange Servers without telling owners

A court-approved FBI operation was conducted to remove web shells from compromised US-based Microsoft Exchange servers without first notifying the servers' owners.

On March 2nd, Microsoft released a series of Microsoft Exchange security updates for vulnerabilities actively exploited by a hacking group known as HAFNIUM. These vulnerabilities are collectively known as ProxyLogon and were used by threat actors in January and February to install web shells on compromised Exchange servers.

"Based on my training and experience, most of these victims are unlikely to remove the remaining web shells because the web shells are difficult to find due to their unique file names and paths or because these victims lack the technical ability to remove them on their own," the FBI stated in an affidavit in support of a search warrant.

To clean the identified Microsoft Exchange servers, the FBI accessed the web shell using known passwords utilized by the threat actors, copied the web shell as evidence, and then executed a command to uninstall the web shell from the compromised server.

"FBI personnel will access the web shells, enter passwords, make an evidentiary copy of the web shell, and then issue a command through each of the approximately web shells to the servers to delete the web shells themselves," the FBI explained in the affidavit.

The DOJ press release states that the FBI operation was successful and that they could remove hundreds of web shells from compromised US Exchange Servers.

News URL

https://www.bleepingcomputer.com/news/security/fbi-nuked-web-shells-from-hacked-exchange-servers-without-telling-owners/