The feds removed web shells that provided backdoor access to cybercriminals in a recent exploit of Microsoft Exchange.
Federal authorities in the U.S. have swooped in to eliminate malicious backdoor code planted by attackers on vulnerable Microsoft Exchange servers across the country. In a news release published Tuesday, the U.S. Department of Justice announced the court-authorized effort to copy and remove web shells that had been installed on on-premises versions of Microsoft Exchange Server software. Web shells are malicious pieces of code that give attackers continuous remote administrative access to a compromised system.
In March, Microsoft and other companies revealed a series of cyberattacks from Chinese hackers and other groups in which they exploited several zero-day flaws in Exchange Server to access sensitive email accounts. The attacks initially surfaced in January but have continued as affected organizations have scrambled to patch the vulnerabilities.
Many Exchange users were able to get rid of the web shells themselves, according to the DOJ. But others were unable to do so, prompting the feds to step in. This latest effort eliminated the remaining web shells of one specific hacking group, which would have given it persistent access to Exchange servers in the U.S. had they remained.
The FBI pulled off the operation by sending a command through each web shell to force the servers to delete just the web shell portion. Each of the web shells had a unique name and file location, a factor that likely made their removal more challenging for individuals used to dealing with generic code.
“First, this is a strong indicator of the extent at which these vulnerabilities have been leveraged for nefarious ends, and the risk that the FBI perceives to be present,” said Tim Wade, technical director for the CTO team at Vectra. “Second, this likely also exposes the challenges that individual organizations have in the detection, response and remediation phases of an attack—at least a subset of those targeted for action by the FBI are likely to have patched but been insufficiently equipped to fully eradicate the adversary’s foothold.”
Though the FBI successfully killed off the remaining web shells, it didn’t remove any other malware or hacking components that the attackers may have installed. As such, organizations still need to take specific steps to fully mitigate the threat. Those with in-house Exchange servers are urged to follow Microsoft’s guidance on the exploits and apply the necessary patches for the zero-day vulnerabilities.
The FBI said it’s notifying Exchange users of the operation by directly emailing them through publicly available contact information. For users whose contact info is not publicly accessible, the agency will email the details to the organization’s ISP to pass along to the victim.
“The speed with which the FBI conducts the victim notification is critical,” said Rick Holland, CISO and VP of strategy at Digital Shadows. “The FBI notification process itself provides actors an opportunity to target new victims. Bad actors can set up a phishing lure that purports to be from a legitimate FBI address to social engineer their targets.”
Plus, the FBI’s effort doesn’t end the threat.
“The FBI only removed the web shells, not the software vulnerabilities themselves,” Holland said. “Chinese actors will no doubt have already set up additional ways to maintain persistence in their victim networks. We will see a ‘gold rush’ of other malicious actors seeking to reinfect the unpatched Exchange servers.”