The US Justice Department has authorised the FBI to access systems vulnerable to the Microsoft Exchange Server ProxyLogon vulnerabilities to remove malicious web shells that had been installed.
The zero-day vulnerabilities – which were the subject of an emergency out-of-band patch from Microsoft in March 2021 – were heavily exploited by malicious actors throughout the first two months of the year to access on-premise instances of Exchange Server, compromise target email accounts, and place web shells to enable continued access.
This activity ramped up following disclosure, with multiple groups, including some ransomware operators, taking advantage of the widespread vulnerability.
The Justice Department said that while many organisational IT and security teams were able to remove the web shells, others “appeared unable to do so” and a high number of them persisted.
This led to the now-declassified operation in which the FBI was given carte blanche to tackle the problem, which was done by issuing a command through the web shells to the compromised servers that was designed to cause the server to delete the web shell, which could be identified by its unique file path.
“Today’s court-authorised removal of the malicious web shells demonstrates the department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions,” said assistant attorney general John Demers of the Justice Department’s National Security Division.
“Combined with the private sector’s and other government agencies’ efforts to date, including the release of detection tools and patches, we are together showing the strength that public-private partnership brings to our country’s cyber security.
“There is no doubt that more work remains to be done, but let there also be no doubt that the department is committed to playing its integral and necessary role in such efforts.”
Tonya Ugoretz, acting assistant director of the FBI’s Cyber Division, added: “This operation is an example of the FBI’s commitment to combating cyber threats through our enduring federal and private sector partnerships.
“Our successful action should serve as a reminder to malicious cyber actors that we will impose risk and consequences for cyber intrusions that threaten the national security and public safety of the American people and our international partners.
“The FBI will continue to use all tools available to us as the lead domestic law enforcement and intelligence agency to hold malicious cyber actors accountable for their actions.”
It is important to note that although the FBI operation was successful in removing the web shells it found, it did not patch any of the zero-days, or root out any malware, ransomware or other malicious tools that may have been installed via the web shells.
Nor did it address a new set of Microsoft Exchange vulnerabilities disclosed on 13 April in the latest Patch Tuesday update, which were discovered via the US intelligence services.
The FBI is now contacting all owners and operators of the systems it accessed, either via their public contact information, or through providers – such as an ISP – that may be able to pass a message on.
Immuniweb’s Ilia Kolochenko said the court-mandated action was probably a “wise move” in the light of the evident fact that many of the server owners had either been unaware of the server’s existence, or had failed to patch it.
“Hacked servers are actively used in sophisticated attacks against other systems, amplify phishing campaigns and hinder investigation of other intrusions by using the breached serves as chained proxies,” said Kolochenko.
“Thus, arguably, such preventive removal may be considered a legitimate self-defence in cyber space. In any case, neither hackers nor server owners will probably complain or file a lawsuit for unwarranted intrusion.
“What is interesting is whether the FBI later transfers the list of sanitised servers to the FTC or state attorney generals for investigation of bad data-protection practices in violation of state and federal laws.”