The US Federal Bureau of Investigation (FBI) recently received legal authorization to remove web shells from multiple Micrsoft Exchange servers compromised by a group of threat actors identified as HAFNIUM, all without having to wait for approval from compromised organizations. This security risk was eliminated in a series of updates released by Microsoft in early March.
The fixed flaws were identified as ProxyLogon and had been exploited by hackers in early 2021 to install malware on the affected Exchange servers. Installed web shells gave attackers remote access to servers, allowing sensitive information to be extracted.
Weeks after these attacks were documented Microsoft began releasing scripts to remove some of these shells while other hacking groups launched ransomware infection campaigns, cryptojackers, among other malware variants.
This week, the US Department of Justice (DOJ) issued a statement detailing the issuance of a court order to access compromised Microsoft Exchange servers and remove the malicious web shell, as well as taking some records of the attack. This order was granted to the FBI as the authorities consider that some vulnerable server owners do not have the technical resources to implement mitigations launched by Microsoft.
The DOJ argues that notifying the owners of these servers could have jeopardized the success of the operation: “Court approval has been requested to delay notification until May 2021, one month after beginning to correct flaws in these implementations,” the court documents note.
A specialized FBI unit accessed the web shell using passwords extracted by threat actors, as well as making copies for evidence presentation to finally execute a shell uninstall command: “Our staff will perform this process fully on affected deployments,” the FBI notes in an affidavit.
This order was granted by a court in Houston, Texas, providing the federal agency with 14 days to eliminate threats from compromised Exchange servers. The FBI was also required to notify the owners of these servers after the upgrade period ended.
Right now the authorities are in the process of notifying the victims of this operation, a task performed by the Bureau through its official email address. Server owners who receive this message should not take additional action, although they may contact officials at the agency for more information.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a cyber security and malware researcher. He studied Computer Science at Miami and started working as a cyber security analyst in 2008. He is actively working as an cyber security investigator. He also worked for security companies like Cisco. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.