Security Experts:

Industry Reactions to FBI Cleaning Up Hacked Exchange Servers: Feedback Friday

U.S. authorities revealed this week that the FBI executed a court-authorized cyber operation to remove malicious web shells from hundreds of compromised Microsoft Exchange servers located in the United States.

FBI agents removed the backdoors by issuing a command through the web shell to the server. The agency said it may have been more challenging for individual server owners to detect and eliminate these web shells compared to other web shells.

Industry reactions to FBI secretly cleaning up hacked Exchange Servers

The clean-up operation — the first known of its kind — was conducted without the knowledge of the hacked servers’ owners. The FBI is now working on notifying the owners and operators of the targeted systems.

SecurityWeek has reached out to experts from several companies for their thoughts on the FBI’s operation and its implications for the industry.

And the feedback begins...

Dr. David Brumley, CEO and co-founder, ForAllSecure:

David Brumley

“The effort by the FBI, as described in the Justice Department press release, amounts to the FBI gaining access to private servers. Just that should be a full stop that the action is not ok. While I understand the good intention — the FBI wants to remove the backdoor — this sets a dangerous precedent where law enforcement is given broad permission to access private servers.

 

As an analogy, would you want the FBI rattling your doorknob, checking if there is a master key available to criminals, and then replacing your lock without explicit consent? Of course not. That's not the role of law enforcement. Why would we want this in the digital domain?

 

There is a slippery slope if we go down this path. We don't want a future where the FBI determines someone may be vulnerable, and then uses that as a pretext to gain access. Remember: the FBI has both a law enforcement and intelligence mission. It would be the same as a police officer thinking your door isn't locked, and then using that as a pretext to enter.

 

Courts should not be circumventing the need for the FBI to have consent to enter, even if there is a backdoor. Consent from the owner, given that the owners are not involved in a crime and there is no evidence of an active crime being carried out, should be a requirement.”

Tal Morgenstern, Co-Founder and CPO, Vulcan Cyber:

Tal Morgenstern

“The cyber security industry needs to do a better job closing the exposure window from vulnerability disclosed, to vulnerability fixed. However, this is much easier said than done. In the case of compromised Exchange Servers used by various U.S. Government agencies, the FBI took matters into their own hands to remediate the threat. Every security and IT organization has change controls in place. For the FBI, they decided to circumvent any change controls in place using a court order and a search warrant to stop the bleeding and secure these servers. In my opinion, the FBI made the right move and we need to see more proactive steps taken to remediate the vulnerabilities we know are out there threatening both our national and corporate interests.”

Jeff Costlow, CISO, ExtraHop:

Jeff Costlow

“It’s an extraordinary step for the FBI to remove backdoors from hundreds of Microsoft Exchange email servers throughout the US. The Microsoft patch, issued 6 weeks ago, fixed the vulnerabilities and stopped any new infections, but couldn’t remediate any already exposed backdoors from breached servers.

 

The response from the FBI issues in a new era of governmental intervention. In this case, the US government had the ability to remediate attacks non-destructively by removing the command and control systems used by attackers. But before the FBI acted, the attackers still had unfettered access to the systems and the operators of those systems should still consider themselves breached.

 

The action by the FBI underscores the need for an out-of-band network vantage point that can provide security teams with a full picture of the activity traversing their network. In this attack, the attackers expertly covered their tracks and would not have been visible by logs or by endpoint agents. If they hadn’t covered their tracks, they would have been found and removed by the system owners. Network detection and response provides that critical visibility into activity happening on the network.”

Topher Tebow, Cybersecurity Analyst, Acronis:

Topher Tebow

“The news that the FBI has removed backdoors from hundreds of Exchange Servers has both positive and negative connotations. While it is great to have the webshells removed from these servers, the vulnerabilities are still unpatched, and this sets a potential precedent that government organizations can essentially choose to hack into any computer suspected of having been compromised. The one protection in place here is that a search and seizure warrant will be needed before the intrusion can take place. In the current case, reasonable attempts to contact the affected victims are in place, however, this contact does not occur until after the webshells have been removed. This is problematic, because it could cause security teams to detect and try to remediate the intrusion, stifling the FBI work, but it does also avoid having the attackers potentially notified if a victim leaks the fact that the cleanup is going to occur. Leaving the vulnerabilities in place also seems potentially irresponsible, as it could lead to new attacks, with different methodologies, on the same machines that were already victimized. That said, there likely isn't a perfect solution here, as patching the vulnerabilities could also cause problems for some organizations, opening the FBI up to potential legal ramifications from the affected organizations.”

Paul Robichaux, Senior Director of Product Management for Quest Software's Microsoft Platform Management business: Paul Robichaux

“When you’re the victim of an extortion attempt, for example, you call the FBI. They’re the experts. Now they’ve applied their expertise, and their responsibility to respond to serious federal crimes, to a new area: cybercrime response. The fact that the FBI has become involved in cleaning up the HAFNIUM attacks against Microsoft Exchange is a strong wake-up call that the U.S. government takes these attacks very seriously, maybe more seriously than some Exchange administrators have to date.

 

The FBI already had legal authority to search for and seize evidence of federal crimes, and their InfraGard program helps critical infrastructure providers secure their systems, so this response is news mostly because it’s a new application of that authority—but it’s encouraging news. This kind of large-scale, coordinated, nation-state attacks is too big for individual organizations to respond to themselves, and leaving individual companies to clean it up themselves is a legitimate national security problem. However, the fact that the FBI’s on the case (see what I did there?) is no excuse to let your guard down. You still need to focus on patching and securing your own environments.

 

That’s because any compromised server can be used to move laterally inside an organization — so one compromised Exchange server can give the attacker a toehold that allows capturing more valuable or sensitive information. Every organization that has on-premises Exchange servers should reinforce their security discipline, make sure that they’re patching their systems in a timely way, and thoroughly investigate their entire network, not just their Exchange servers, to see whether they’ve been compromised by HAFNIUM. The more you protect your own resources, the more time and energy the FBI will have to protect others who can’t protect themselves effectively.”

Monti Knode, Director of Customer & Partner Success, Horizon3.AI:Monti Knode

“Government action is always established by an authority to act. By explicitly calling out 'protected computers' and declaring them 'damaged', that appears to have been enough to give the FBI a signed warrant to execute such an operation without notifying victims ahead of the operation execution.

 

While the scale of the operation is unknown (redacted in court order), the fact that the FBI was able to execute in less than four days, and then publicly release this effort, demonstrates the potential national security risk posed by these exploited systems and the prioritized planning involved.

 

Ultimately we are digitally interconnected, and given the risk for supply chain attacks, it’s in each of our best interest to know our own cyber risk and act on them, hopefully before our government must.”

Ilia Kolochenko CEO, Founder and Chief Architect, ImmuniWeb:Ilia Kolochenko

“It’s a wise move given that exposed web shells clearly indicate that server owners are either unaware of the server existence or are grossly negligent having unpatched and compromised system exposed to the Internet. Hacked servers are actively used in sophisticated attacks against other systems, amplify phishing campaigns and hinder investigation of other intrusions by using the breached serves as chained proxies.

 

Thus, arguably, such preventive removal may be considered a legitimate self-defense in cyberspace. In any case, neither hackers nor server owners will probably complain or file a lawsuit for unwarranted intrusion. What is interesting, is whether the FBI later transfers the list of sanitized servers to FTC or state attorney generals for investigation of bad data protection practices in violation of state and federal laws.”

Dirk Schrader, Global Vice President, Security Research, New Net Technologies (NNT):Dirk Schrader

“It’s telling that the FBI thinks that a couple hundred victims (guessing from the length of the covered space in the court order) are lacking the technical expertise for this. It leads to ‘what else are they not capable of?’


in terms of cyber security, given that there are recommended essential controls like change control and integrity monitoring (as recommended by NIST or CIS), that would have helped to identify the changes that occurred with the breach.”

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.