Security Experts:

Connect with us

Hi, what are you looking for?


Email Security

FBI Agents Secretly Deleted Web Shells From Hacked Microsoft Exchange Servers

FBI agents executed a court-authorized cyber operation to delete malicious web shells from hundreds of previously hacked Microsoft Exchange servers in the United States, unbeknownst to their owners, the U.S. Department of Justice (DoJ) said Tuesday.

FBI agents executed a court-authorized cyber operation to delete malicious web shells from hundreds of previously hacked Microsoft Exchange servers in the United States, unbeknownst to their owners, the U.S. Department of Justice (DoJ) said Tuesday.

After a wave of major in-the-wild zero-day attacks against Exchange Server installations that occurred globally in January, savvy organizations scrambled to lock down vulnerable Microsoft email servers and remove web shells that were installed by attackers. 

In early attacks observed by Microsoft, attackers were able to exploit a series of vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.

Unfortunately, many organizations were not able to patch systems and/or remove associated malware that was installed.

In what appears to be the first known operation of its kind, the FBI “removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks.”

According to court documents, FBI agents removed the web shells by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path).

“Because the web shells the FBI removed each had a unique file path and name, they may have been more challenging for individual server owners to detect and eliminate than other web shells,” the DoJ explained.

While FBI agents copied and removed web shells that provided attackers with backdoor access to servers, organizations may not be in the clear.

“This operation was successful in copying and removing those web shells,” the Justice Department says. “However, it did not patch any Microsoft Exchange Server zero-day vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks by exploiting the web shells.”

While Microsoft attributed the original attacks in January to the China-linked HAFNIUM threat actors, multiple hacking groups followed soon after the Exchange vulnerabilities were publicized.

HAFNIUM primarily targets entities in the U.S. across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.

With most of the work already done, the FBI is now attempting to notify owners or operators of the computers from which it purged the web shells.

Organizations who still believe they have a Microsoft Exchange Server that remains compromised should contact their  local FBI Field Office for assistance. 

Company/organization names and IP addresses of those touched by the operation were redacted from publicly available court documents

The uncovering of the operation comes just as four new critical security vulnerabilities in Exchange Server were fixed as part of this month’s Patch Tuesday bundle. Because of the severity of the additional issues, Microsoft teamed with the U.S. National Security Agency (NSA) to urge the immediate deployment of the new fixes.

Upcoming WebinarPreventing Novel BEC Attacks: Lessons Learned and Best Practices w/ the FBI (April 27)

Related: CISA Details Malware Found on Hacked Exchange Servers

Related: CISA Releases Tool to Detect Microsoft 365 Compromise

Related: Ransomware Operators Start Targeting Microsoft Exchange Vulnerabilities

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.