Security News > 2021 > April > Industry Reactions to FBI Cleaning Up Hacked Exchange Servers: Feedback Friday
U.S. authorities revealed this week that the FBI executed a court-authorized cyber operation to remove malicious web shells from hundreds of compromised Microsoft Exchange servers located in the United States.
"The effort by the FBI, as described in the Justice Department press release, amounts to the FBI gaining access to private servers. Just that should be a full stop that the action is not ok. While I understand the good intention - the FBI wants to remove the backdoor - this sets a dangerous precedent where law enforcement is given broad permission to access private servers."
"It's an extraordinary step for the FBI to remove backdoors from hundreds of Microsoft Exchange email servers throughout the US. The Microsoft patch, issued 6 weeks ago, fixed the vulnerabilities and stopped any new infections, but couldn't remediate any already exposed backdoors from breached servers."
"When you're the victim of an extortion attempt, for example, you call the FBI. They're the experts. Now they've applied their expertise, and their responsibility to respond to serious federal crimes, to a new area: cybercrime response. The fact that the FBI has become involved in cleaning up the HAFNIUM attacks against Microsoft Exchange is a strong wake-up call that the U.S. government takes these attacks very seriously, maybe more seriously than some Exchange administrators have to date."
"That's because any compromised server can be used to move laterally inside an organization - so one compromised Exchange server can give the attacker a toehold that allows capturing more valuable or sensitive information. Every organization that has on-premises Exchange servers should reinforce their security discipline, make sure that they're patching their systems in a timely way, and thoroughly investigate their entire network, not just their Exchange servers, to see whether they've been compromised by HAFNIUM. The more you protect your own resources, the more time and energy the FBI will have to protect others who can't protect themselves effectively."
"Thus, arguably, such preventive removal may be considered a legitimate self-defense in cyberspace. In any case, neither hackers nor server owners will probably complain or file a lawsuit for unwarranted intrusion. What is interesting, is whether the FBI later transfers the list of sanitized servers to FTC or state attorney generals for investigation of bad data protection practices in violation of state and federal laws."