Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

FBI Agents Secretly Deleted Web Shells From Hacked Microsoft Exchange Servers

FBI agents executed a court-authorized cyber operation to delete malicious web shells from hundreds of previously hacked Microsoft Exchange servers in the United States, unbeknownst to their owners, the U.S. Department of Justice (DoJ) said Tuesday.

FBI agents executed a court-authorized cyber operation to delete malicious web shells from hundreds of previously hacked Microsoft Exchange servers in the United States, unbeknownst to their owners, the U.S. Department of Justice (DoJ) said Tuesday.

After a wave of major in-the-wild zero-day attacks against Exchange Server installations that occurred globally in January, savvy organizations scrambled to lock down vulnerable Microsoft email servers and remove web shells that were installed by attackers. 

In early attacks observed by Microsoft, attackers were able to exploit a series of vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.

Unfortunately, many organizations were not able to patch systems and/or remove associated malware that was installed.

In what appears to be the first known operation of its kind, the FBI “removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks.”

According to court documents, FBI agents removed the web shells by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path).

“Because the web shells the FBI removed each had a unique file path and name, they may have been more challenging for individual server owners to detect and eliminate than other web shells,” the DoJ explained.

While FBI agents copied and removed web shells that provided attackers with backdoor access to servers, organizations may not be in the clear.

Advertisement. Scroll to continue reading.

“This operation was successful in copying and removing those web shells,” the Justice Department says. “However, it did not patch any Microsoft Exchange Server zero-day vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks by exploiting the web shells.”

While Microsoft attributed the original attacks in January to the China-linked HAFNIUM threat actors, multiple hacking groups followed soon after the Exchange vulnerabilities were publicized.

HAFNIUM primarily targets entities in the U.S. across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.

With most of the work already done, the FBI is now attempting to notify owners or operators of the computers from which it purged the web shells.

Organizations who still believe they have a Microsoft Exchange Server that remains compromised should contact their  local FBI Field Office for assistance. 

Company/organization names and IP addresses of those touched by the operation were redacted from publicly available court documents

The uncovering of the operation comes just as four new critical security vulnerabilities in Exchange Server were fixed as part of this month’s Patch Tuesday bundle. Because of the severity of the additional issues, Microsoft teamed with the U.S. National Security Agency (NSA) to urge the immediate deployment of the new fixes.

Upcoming WebinarPreventing Novel BEC Attacks: Lessons Learned and Best Practices w/ the FBI (April 27)

Related: CISA Details Malware Found on Hacked Exchange Servers

Related: CISA Releases Tool to Detect Microsoft 365 Compromise

Related: Ransomware Operators Start Targeting Microsoft Exchange Vulnerabilities

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.