A little more than a month after Microsoft disclosed a bombshell piece of cybersecurity industry news — an attack on Microsoft Exchange servers, whereby state-sponsored hackers from China were chaining together attacks on four vulnerabilities in Microsoft’s email cloud service in order to steal data — the US government just shared a pretty incredible piece of related news.
Court documents were unsealed, enabling a US Justice Department announcement that the FBI had undertaken what the department calls a successful operation to “copy and remove” backdoors remaining in hundreds of vulnerable computers around the US. The operation to remove these remaining malicious web shells was necessary, the Justice Department’s announcement says, because they could have been used “to maintain and escalate persistent, unauthorized access to US networks.” The FBI removed all of these backdoors by sending a command to the server through the web shell, which was meant to prod the server to delete only the web shell.
“Today’s court-authorized removal of the malicious web shells demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions,” said US Assistant Attorney General John C. Demers, for the Justice Department’s National Security Division. “Combined with the private sector’s and other government agencies’ efforts to date, including the release of detection tools and patches, we are together showing the strength that public-private partnership brings to our country’s cybersecurity.”
Among other details the Justice Department shared, as part of disclosing this operation:
- This all stems from Microsoft’s early March announcement that a hacking group used multiple zero-day vulnerabilities to target computers running Microsoft Exchange server software. Other hacking groups also used these vulnerabilities to install web shells on “thousands” of victims’ computers.
- Despite Microsoft’s and law enforcement’s efforts to mitigate the damage, by the end of March there were apparently still hundreds of web shells remaining on US-based computers running the Microsoft Exchange server software.
- The FBI says it’s trying to share notice of this court-approved operation to all owners and operators of the affected computers. In these cases, where contact information is publicly available, the bureau will send an e-mail message from its official @fbi.gov account to provide the notice. Where contact information is not readily available, the FBI will send an email from that same official email account to victim’s ISPs and ask them to pass along the notice.
Justice Department Announces Court-Authorized Effort to Disrupt Exploitation of Microsoft Exchange Server Vulnerabilities #Cybersecurity @TheJusticeDept https://t.co/Kg6jI3pzh9 pic.twitter.com/xKiMT9HAT5
— FBI (@FBI) April 13, 2021
The announcement concludes by noting that, although the operation “was successful in copying and removing those web shells, it did not patch any Microsoft Exchange Server zero-day vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks by exploiting the web shells. The Department strongly encourages network defenders to review Microsoft’s remediation guidance and the March 10, 2021, Joint Advisory for further guidance on detection and patching.”