Security News > 2021 > April > FBI nuked web shells from hacked Exchange Servers without telling owners
A court-approved FBI operation was conducted to remove web shells from compromised US-based Microsoft Exchange servers without first notifying the servers' owners.
On March 2nd, Microsoft released a series of Microsoft Exchange security updates for vulnerabilities actively exploited by a hacking group known as HAFNIUM. These vulnerabilities are collectively known as ProxyLogon and were used by threat actors in January and February to install web shells on compromised Exchange servers.
"Based on my training and experience, most of these victims are unlikely to remove the remaining web shells because the web shells are difficult to find due to their unique file names and paths or because these victims lack the technical ability to remove them on their own," the FBI stated in an affidavit in support of a search warrant.
To clean the identified Microsoft Exchange servers, the FBI accessed the web shell using known passwords utilized by the threat actors, copied the web shell as evidence, and then executed a command to uninstall the web shell from the compromised server.
"FBI personnel will access the web shells, enter passwords, make an evidentiary copy of the web shell, and then issue a command through each of the approximately web shells to the servers to delete the web shells themselves," the FBI explained in the affidavit.
The DOJ press release states that the FBI operation was successful and that they could remove hundreds of web shells from compromised US Exchange Servers.
News URL
Related news
- FBI spots HiatusRAT malware attacks targeting web cameras, DVRs (source)
- Apache fixes remote code execution bypass in Tomcat web server (source)
- FBI Deletes PlugX Malware from 4,250 Hacked Computers in Multi-Month Operation (source)
- One of Salt Typhoon's favorite flaws still wide open on 91% of at-risk Exchange Servers (source)
- Microsoft: Outdated Exchange servers fail to auto-mitigate security bugs (source)