FBI silently removed web shells planted on Microsoft Exchange servers in the US

FBI log into web shells that hackers installed on Microsoft Exchange email servers across the US and removed the malicious code used by threat actors.

A US judge granted the FBI the power to log into web shells that were injected by nation-state hackers on Microsoft Exchange servers across the US and remove the malware, announced the US Department of Justice.

“Authorities have executed a court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable computers in the United States. They were running on-premises versions of Microsoft Exchange Server software used to provide enterprise-level email service.” reads the press release published by DoJ. “The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path).”

On March 2nd, Microsoft released emergency out-of-band security updates that address four zero-day issues (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) in all supported MS Exchange versions that are actively exploited in the wild.

Shortly after the public disclosure of the flaws, the Check Point Research team reported that in a time span of 24 hours the exploitation attempts are doubling every two hours.

The IT giant reported that at least one China-linked APT group, tracked as HAFNIUM, chained these vulnerabilities to access on-premises Exchange servers to access email accounts, and install backdoors to maintain access to victim environments.

According to Microsoft, the Hafnium APT exploited these vulnerabilities in targeted attacks against US organizations. The group historically launched cyber espionage campaigns aimed at US-based organizations in multiple industries, including law firms and infectious disease researchers. In past campaigns, HAFNIUM attackers also interacted with victim Office 365 tenants. 

Now FBI was able to access the web shells implanted by hackers that were not properly secured and uninstall the malware deployed by threat actors. At the time of this writing, it is not clear how many web shells the FBI removed.

“Today’s court-authorized removal of the malicious web shells demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions,” said Assistant Attorney General John C. Demers for the Justice Department’s National Security Division. “Combined with the private sector’s and other government agencies’ efforts to date, including the release of detection tools and patches, we are together showing the strength that public-private partnership brings to our country’s cybersecurity. There’s no doubt that more work remains to be done, but let there also be no doubt that the Department is committed to playing its integral and necessary role in such efforts.”

FBI experts only sanitized the Microsoft Exchange servers but did not patch the systems, which means that they are still vulnerable to ProxyLogon attacks.

“Combatting cyber threats requires partnerships with private sector and government colleagues,” said Acting U.S. Attorney Jennifer B. Lowery of the Southern District of Texas. “This court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable computers shows our commitment to use any viable resource to fight cyber criminals. We will continue to do so in coordination with our partners and with the court to combat the threat until it is alleviated, and we can further protect our citizens from these malicious cyberbreaches.” said Assistant Attorney General John C. Demers for the Justice Department’s National Security Division.

The FBI is going to notify all the organizations whose Microsoft Exchange servers were sanitized by its experts as part of this campaign.

In March, Microsoft released an Exchange On-premises Mitigation Tool (EOMT) tool for small businesses for the fix of ProxyLogon vulnerabilities.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Exchange servers)

[adrotate banner=”5″]

[adrotate banner=”13″]