FBI Accesses Computers Around Country to Delete Microsoft Exchange Hacks

April 13, 2021 Off By Joseph Cox

On Tuesday the Department of Justice announced the FBI was given approval to access hundreds of computers across the United States running vulnerable versions of Microsoft Exchange Server software to remove web shells left by hackers who had earlier penetrated the systems.

The news shows some of the more proactive steps law enforcement may take when faced with large scale hacking operations, and victims who are not willing or able to swiftly patch their systems.

In short, the FBI obtained permission to access computers to remove artifacts of an earlier, high profile hacking operation in order to prevent further access to those machines by hackers.

Did you receive a notification from the FBI about this? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

"The Justice Department today announced a court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable computers in the United States running on-premises versions of Microsoft Exchange Server software used to provide enterprise-level e-mail service," the announcement read.

The action is a response to a hacking campaign earlier in the year which leveraged vulnerabilities in Microsoft Exchange Server. Multiple hacking groups used these security flaws to break into Exchange servers, in some cases stealing victims' emails. A suspected Chinese hacking group led the way, infiltrating tens of thousands of Exchange servers. In this case, the FBI "removed one early hacking group’s remaining web shells, which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks," the announcement reads.

"The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path)," it adds. A web shell is, in essence, an interface the hackers have opened up so they can communicate with the vulnerable system at a later date. The announcement said the FBI action did not patch the underlying systems themselves, or remove any other additional malware.

web-shell-warrant.png
A section of the related court records. Image: Motherboard

"By deleting the web shells, FBI personnel will prevent malicious cyber actors from using the web shells to access the servers and install additional malware on them," associated court records released with the announcement read. The documents add that the impacted servers appear to be located in five or more judicial districts, including the Southern District of Texas, District of Massachusetts, Northern District of Illinois, and Northern District of Virginia.

The FBI also took evidence from the servers themselves, and used passwords, the documents say.

"FBI personnel will access the web shells, enter passwords, make an evidentiary copy of the web shell, and then issue a command through each" of the web shells, the documents add.

Assistant Attorney General John C. Demers for the Justice Department’s National Security Division said in the announcement that “Today’s court-authorized removal of the malicious web shells demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions."

"Combined with the private sector’s and other government agencies’ efforts to date, including the release of detection tools and patches, we are together showing the strength that public-private partnership brings to our country’s cybersecurity. There’s no doubt that more work remains to be done, but let there also be no doubt that the Department is committed to playing its integral and necessary role in such efforts," he added.

The announcement said the FBI is attempting to inform all owners of the impacted computers about the operation. In a court document published alongside the announcement, Acting United States Attorney Jennifer B. Lowery wrote that "unsealing will further enable the government's reasonable efforts to provide notice of the search to some victims."

In 2016 the Department of Justice made changes to the rules governing searches to allow magistrate judges to sign warrants that involve searches of computers outside of their own district. This was related to dark web investigations where the physical location of a target of law enforcement malware may not be known, but also to combat botnets. 

A spokesperson for Microsoft declined to comment. On Tuesday the Twitter account of the National Security Agency tweeted a blog post from Microsoft which recommends users install new security patches, including ones related to Exchange Server vulnerabilities.

This article has been updated to include a response from a Microsoft spokesperson.

Subscribe to our cybersecurity podcast CYBER, here.