Security News

Authorities have executed a court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable on-premises versions of Microsoft Exchange Server software in the United States. Through January and February 2021, certain hacking groups exploited zero-day vulnerabilities in Microsoft Exchange Server software to access email accounts and place web shells for continued access.

FBI agents executed a court-authorized cyber operation to delete malicious web shells from hundreds of previously hacked Microsoft Exchange servers in the United States, unbeknownst to their owners, the U.S. Department of Justice said Tuesday. After a wave of major in-the-wild zero-day attacks against Exchange Server installations that occurred globally in January, savvy organizations scrambled to lock down vulnerable Microsoft email servers and remove web shells that were installed by attackers.

The FBI deleted web shells installed by criminals on hundreds of Microsoft Exchange servers across the United States, it was revealed on Tuesday. "Although many infected system owners successfully removed the web shells from thousands of computers, others appeared unable to do so, and hundreds of such web shells persisted unmitigated," the Justice Department noted in an announcement.

A court-approved FBI operation was conducted to remove web shells from compromised US-based Microsoft Exchange servers without first notifying the servers' owners. On March 2nd, Microsoft released a series of Microsoft Exchange security updates for vulnerabilities actively exploited by a hacking group known as HAFNIUM. These vulnerabilities are collectively known as ProxyLogon and were used by threat actors in January and February to install web shells on compromised Exchange servers.

The FBI arrested a Texas man on Thursday for allegedly planning to "Kill of about 70% of the internet" in a bomb attack targeting an Amazon Web Services data center on Smith Switch Road in Ashburn, Virginia. Seth Aaron Pendley, 28, was charged via criminal complaint on Friday morning for attempting to destroy a building using C-4 plastic explosives he tried to buy from an undercover FBI employee.

The U.S. government is warning that Advanced Persistent Threat actors are exploiting vulnerabilities in Fortinet FortiOS in ongoing attacks targeting commercial, government, and technology services networks. The warning, issued in a joint advisory by FBI and the Cybersecurity and Infrastructure Security Agency, follows the recent release of security patches covering serious security flaws in Fortinet's flagship FortiOS product.

UPDATE. The FBI and the Cybersecurity and Infrastructure Security Agency are warning that advanced persistent threat nation-state actors are actively exploiting known security vulnerabilities in the Fortinet FortiOS cybersecurity operating system, affecting the company's SSL VPN products. The bug tracked as CVE-2018-13379 is a path-traversal issue in Fortinet FortiOS, where the SSL VPN web portal allows an unauthenticated attacker to download system files via specially crafted HTTP resource requests.

The Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency warn of advanced persistent threat actors targeting Fortinet FortiOS servers using multiple exploits. In the Joint Cybersecurity Advisory published today, the agencies warn admins and users that the state-sponsored hacking groups are "Likely" exploiting Fortinet FortiOS vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.

The FBI warns that Mamba ransomware attacks have been directed at entities in the public and private sector, including local governments, transportation agencies, legal services, technology services, industrial, commercial, manufacturing, and construction businesses. Mamba ransomware relies on an open-source software solution named DiskCryptor to encrypt victim computers in the background with a key defined by the attacker.

The Federal Bureau of Investigation this week published an alert to warn of the fact that the Mamba ransomware is abusing the DiskCryptor open source tool to encrypt entire drives, including the operating system. The Mamba ransomware is abusing the open source application for malicious purposes, and has been doing so in a multitude of attacks.