Security Experts:

FBI Agents Secretly Deleted Web Shells From Hacked Microsoft Exchange Servers

FBI agents executed a court-authorized cyber operation to delete malicious web shells from hundreds of previously hacked Microsoft Exchange servers in the United States, unbeknownst to their owners, the U.S. Department of Justice (DoJ) said Tuesday.

After a wave of major in-the-wild zero-day attacks against Exchange Server installations that occurred globally in January, savvy organizations scrambled to lock down vulnerable Microsoft email servers and remove web shells that were installed by attackers. 

In early attacks observed by Microsoft, attackers were able to exploit a series of vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.

Unfortunately, many organizations were not able to patch systems and/or remove associated malware that was installed.

In what appears to be the first known operation of its kind, the FBI “removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks.”

According to court documents, FBI agents removed the web shells by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path).

“Because the web shells the FBI removed each had a unique file path and name, they may have been more challenging for individual server owners to detect and eliminate than other web shells,” the DoJ explained.

While FBI agents copied and removed web shells that provided attackers with backdoor access to servers, organizations may not be in the clear.

“This operation was successful in copying and removing those web shells,” the Justice Department says. “However, it did not patch any Microsoft Exchange Server zero-day vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks by exploiting the web shells.”

While Microsoft attributed the original attacks in January to the China-linked HAFNIUM threat actors, multiple hacking groups followed soon after the Exchange vulnerabilities were publicized.

HAFNIUM primarily targets entities in the U.S. across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.

With most of the work already done, the FBI is now attempting to notify owners or operators of the computers from which it purged the web shells.

Organizations who still believe they have a Microsoft Exchange Server that remains compromised should contact their  local FBI Field Office for assistance. 

Company/organization names and IP addresses of those touched by the operation were redacted from publicly available court documents

The uncovering of the operation comes just as four new critical security vulnerabilities in Exchange Server were fixed as part of this month’s Patch Tuesday bundle. Because of the severity of the additional issues, Microsoft teamed with the U.S. National Security Agency (NSA) to urge the immediate deployment of the new fixes.

Upcoming WebinarPreventing Novel BEC Attacks: Lessons Learned and Best Practices w/ the FBI (April 27)

Related: CISA Details Malware Found on Hacked Exchange Servers

Related: CISA Releases Tool to Detect Microsoft 365 Compromise

Related: Ransomware Operators Start Targeting Microsoft Exchange Vulnerabilities

view counter
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.