Blurred background of server hardware showing takedown of web shells on compromised Microsoft Exchange servers

FBI Removes Web Shells From Compromised Third-Party Microsoft Exchange Servers Without Notifying the Owners

The FBI removed web shells from compromised Microsoft Exchange Servers through a court order without notifying the server owners.

Microsoft security threat intelligence earlier said that Chinese malicious cyber actors exploited Microsoft Exchange server vulnerabilities to install remote administration web shells for exfiltrating data and delivering additional malware payloads.

The FBI argued that some entities running Microsoft exchange servers were unable to remove the web shells. The bureau added that the remaining web shells posed a significant threat to the victims.

Court order allows the FBI to remove web shells on third-party Microsoft Exchange servers

The FBI requested permissions to remove web shells on compromised third-party Microsoft exchange servers.

The agency added that the still-compromised Microsoft Exchange servers posed a significant risk but the owners lacked the technical ability to remove the China Chopper web shells.

Thus, the bureau believed it was necessary to intervene to prevent more Microsoft Exchange server attacks in the United States.

“Based on my training and experience, most of these victims are unlikely to remove the remaining web shells because the web shells are difficult to find due to their unique file names and paths or because these victims lack the technical ability to remove them on their own,” FBI’s affidavit stated.

The acting US Attorney for the Southern District of Texas Jennifer Lowery approved the operation to covertly remove web shells from compromised Microsoft Exchange servers.

The Houston court approved the search warrant for 14 days starting April 9, 2021. The District Court also allowed the FBI to delay notifying the owners until it was no longer detrimental to the operation.

Lowery described the operation as “partnerships with [the] private sector and government colleagues.”

The FBI believed that warning the victims would compromise the operation. They also requested to search for “any time in the day or night” to avoid alerting the threat actors of the operation.

“Accordingly, the United States requests approval from the Court to delay notification until May 9, 2021, 30 days from the first possible date of execution on April 9, 2021, or until the FBI determines that there is no longer need for delayed notice, whichever is sooner,” the affidavit requested.

The FBI would later use its official email account or ISP providers to notify Microsoft exchange server owners whose servers were accessed during the operation.

However, the notification process gives the threat actors another opportunity to execute phishing attacks by impersonating the FBI.

The FBI used known passwords used by threat actors to connect to the web shells, copied them as evidence before executing the delete command. However, the agency did not install updates leaving the servers vulnerable.

The Department of Justice confirms the successful removal of malicious web shells

The Department of Justice announced the successful removal of China Chopper web shells from compromised Microsoft Exchange servers.

“Today’s operation removed one early hacking group’s remaining web shells, which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks. The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path).”

Microsoft released a series of security updates on March 2 and detection tools to detect and mitigate related cybersecurity incidents.

About 92% of Exchange servers have been patched for ProxyLogon vulnerabilities. Microsoft, CISA, and the FBI advise the remaining server owners to install the updates.

“It’s a wise move given that exposed web shells clearly indicate that server owners are either unaware of the server’s existence or are grossly negligent having unpatched and compromised system exposed to the Internet,” Ilia Kolochenko CEO, Founder, and Chief Architect at ImmuniWeb. “Hacked servers are actively used in sophisticated attacks against other systems, amplify phishing campaigns and hinder investigation of other intrusions by using the breached serves as chained proxies.”

Kolochenko says FBI removal of web shells from compromised Microsoft Exchange servers is a legitimate action in cyber self-defense.

“In any case, neither hackers nor server owners will probably complain or file a lawsuit for unwarranted intrusion. What is interesting is whether the FBI later transfers the list of sanitized servers to FTC or state attorney generals for investigation of bad data protection practices in violation of state and federal laws.”

Tim Wade, Technical Director, CTO Team at Vectra says the FBI’s action is an indicator of how the agency perceives the risk.

“First, this is a strong indicator of the extent at which these vulnerabilities have been leveraged for nefarious ends and the risk that the FBI perceives to be present.

Second, this likely also exposes the challenges that individual organizations have in the detection, response, and remediation phases of an attack – at least a subset of those targeted for action by the FBI are likely to have patched, but been insufficiently equipped to fully eradicate the adversary’s foothold.

Lastly, however, I do wonder about some of the precedent and legal landscape that will inevitably wander through as a result of activities like this becoming more proactive and prevalent on behalf of the FBI – we’ll need to exercise good judgment and due care to preserve the balance between acting in the public good, and affording proper protections for private entities.”

Rick Holland, Chief Information Security Officer and Vice President Strategy at Digital Shadows, described the operation as a sign that the Biden administration was willing to play an active role in cyber defense.

“In the wake of the SolarWinds incident, the U.S. government and the Biden administration are signaling a more active role in defending private entities. This announcement of this action also occurred one day after President Biden announced his intention to nominate former NSA veterans Chris Inglis as the National Cyber Director Executive Office of the President and Jen Easterly as the director of CISA.

Holland is, however, wary of unintended consequences of the FBI’s action, including the involvement of an external expert.

“In addition to potential legal actions, if damages occurred, this will undoubtedly raise concerns with privacy advocates and civil libertarians.”

He points out that private businesses cannot match state-sponsored persistent threat actors behind ProxyLogon exploitation.

“Despite the possible objections, American companies are outgunned and overmatched by nation-state actors like China, Russian, Iran, and North Korea. While it may be controversial for some, this type of activity will be welcomed by others. Effective coordination with the private sector will be critical for the success of this and future operations.”