Security News > 2021 > April > FBI removes web shells from hacked Microsoft Exchange servers
Authorities have executed a court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable on-premises versions of Microsoft Exchange Server software in the United States.
Through January and February 2021, certain hacking groups exploited zero-day vulnerabilities in Microsoft Exchange Server software to access email accounts and place web shells for continued access.
The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell.
Because the web shells the FBI removed each had a unique file path and name, they may have been more challenging for individual server owners to detect and eliminate than other web shells.
Despite these efforts, by the end of March, hundreds of web shells remained on certain United States-based computers running Microsoft Exchange Server software.
It did not patch any Microsoft Exchange Server zero-day vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks by exploiting the web shells.
News URL
http://feedproxy.google.com/~r/HelpNetSecurity/~3/vfl58RoBOqg/
Related news
- Microsoft: Exchange 2016 reaches extended end of support in October (source)
- FBI disrupts the Dispossessor ransomware operation, seizes servers (source)
- FBI Shuts Down Dispossessor Ransomware Group's Servers Across U.S., U.K., and Germany (source)
- Windows Server August updates fix Microsoft 365 Defender issue (source)
- Microsoft: August updates cause Windows Server boot issues, freezes (source)
- Microsoft: Exchange Online mistakenly tags emails as malware (source)
- FBI Cracks Down on Dark Web Marketplace Managed by Russian and Kazakh Nationals (source)
- Microsoft fixes Windows Server performance issues from August updates (source)
- FBI tells public to ignore false claims of hacked voter data (source)
- Russian security firm Dr.Web disconnects all servers after breach (source)