DOJ: FBI Removed Web Shells From Exploited Microsoft Exchange Servers

In a rare move, a court-authorized FBI operation removed web shells from a host of exploited on-prem Microsoft Exchange Servers. Many of the victims may have been unaware their systems were compromised, according to a Tuesday Department of Justice press release.

The web shells were installed via a set of four zero-day vulnerabilities first disclosed and patched in early March. At the time, the tech giant warned that threat actors were actively exploiting the flaws to gain system access, network proliferation, and even data theft.

Some of the exploits included the installation of web shells to establish a persistent presence on the victims’ networks, including access to email accounts. The attacks began in January and February, with an uptick in the number of threat actors targeting the flaws upon the vulnerability disclosures in March.

Since that time, the Department of Homeland Security, FBI, and Microsoft have steadily worked to raise awareness around patch prioritization of the flaws -- given the extent of the exploits launched by at least 10 advanced persistent threat actors.

Previous support efforts included a mitigation tool and an indicators of compromise (IOC) scanner. The latest update showed that about 32,000 Exchange Servers were still vulnerable to these attacks, as the owners had failed to apply the provided software update.

To federal officials, it appeared that the owners were unable to patch the vulnerabilities, which resulted in hundreds of web shells persisting on victims’ networks. In addition, the web shells identified and removed by the FBI each had a unique file path and name, adding to the challenge of detecting and eliminating the threat for the victims.

The concern was that the malicious code could have enabled hackers to maintain and escalate their backdoor access and further their attacks.

In response, the FBI issued a command through the web shell to victims’ servers, allowing the server to only delete the malicious web shell identified through its unique file path.

“Today’s court-authorized removal of the malicious web shells demonstrates DOJ’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions,” said Assistant Attorney General for the DOJ National Security Division John Demers, in a statement.

“Combined with the private sector’s and other government agencies’ efforts to date, including the release of detection tools and patches, we are together showing the strength that public-private partnership brings to our country’s cybersecurity,” he added.

DOJ officials stressed that the operation was successful in copying and removing web shells from the identified exploited networks. However, the effort did not patch the vulnerabilities from future exploits, nor did the team search for or remove any other malware or hacking tools that may have been installed during the exploit.

As such, federal officials are urging system administrators to review previous guidance from Microsoft and previous federal alerts to assist with remediation efforts. The FBI is continuing to notify all system owners and operators from which they’ve removed the web shells.

System owners who believe they were part of the exploit or are continuing to operate vulnerable on-prem Exchange Servers should contact their local FBI office for assistance. The FBI is still investigating the cyber incident.

Demers acknowledged that there is still work to be done, but the web shell effort demonstrates the continued federal effort to strengthen US infrastructure.

“This court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable computers shows our commitment to use any viable resource to fight cyber criminals,” Acting U.S. Attorney Jennifer B. Lowery of the Southern District of Texas, said in a statement. 

“We will continue to do so in coordination with our partners and with the court to combat the threat until it is alleviated, and we can further protect our citizens from these malicious cyber breaches,” she added.

On Tuesday, Microsoft issued patches for another set of four critical vulnerabilities found in on-prem Exchange Server versions 2016 and 2019. The continued exploit activity around the vulnerable platform emphasizes the need for patch prioritization across all sectors.