The FBI has carried out an operation to proactively remove security backdoors from hacked on-premises Microsoft Exchange servers without the knowledge or permission of the organisations operating them. Meanwhile the NSA has disclosed several previously unknown vulnerabilities in the same technology.
The move by the Feds to “copy and remove malicious web shells” without discussion was authorised by a court in Houston.
According to the Justice Department, which made the operation public on Tuesday, the initiative has already protected “hundreds” of vulnerable computers in the US.
The FBI said it is attempting to inform Exchange Server users that it has removed backdoors on their behalf.
On 2 March Microsoft said that Chinese state-linked group Hafnium had been using zero-day exploits to target its on-premises Exchange Server tech, and that users should patch their systems.
Following the public revelation of the exploits a range of cybercriminal gangs, including LuckyMouse, Calypso and the Winnti Group, began compromising vulnerable Exchange servers in bulk with the apparent plan of picking targets for further exploitation at a later date. These efforts appeared to be driven by the fact that patching the vulnerabilities does not prevent attackers from manipulating systems that have already been hacked, in many cases by installing web shells on them.
The FBI, finding that “hundreds” of systems in the US had malicious web shells installed on them, then took the unusual step of “issuing a command through the web shell to the server” to delete this malware. While the operation removed malicious web shells it did not remove other malware that may have been on any given system.
As such, the Justice Department “strongly encourages” security professionals to scan on-prem Exchange Servers for compromise and follow Microsoft’s remediation guidance.
“Our successful action should serve as a reminder to malicious cyber actors that we will impose risk and consequences for cyber intrusions that threaten the national security and public safety of the American people and our international partners,” said Tonya Ugoretz, acting assistant director of the FBI’s Cyber Division. “The FBI will continue to use all tools available to us as the lead domestic law enforcement and intelligence agency to hold malicious cyber actors accountable for their actions.”
Kyle Hanslovan, co-founder and CEO of security firm Huntress and a former US intelligence officer, said it’s “noteworthy” that the proactive efforts were performed on behalf of the Justice Department and the FBI.
“I think it’s very important to keep US Intelligence agencies like NSA focused on their foreign targets and away from infringing on civil liberties,” he said. “The use of courts to authorise the FBI’s disruption effort is a solid initial framework to ensure these actions stay focused on increasing security and are restricted from indirect intelligence targeting.”
News of the FBI Exchange operation comes as Microsoft published more critical Exchange vulnerabilities as part of its Patch Tuesday update.
Among the 108 issues dealt with this month, Microsoft provided patches for four new Exchange security flaws discovered by the NSA. Two of the critical remote execution vulnerabilities were pre-authentication. There is no evidence that any of the new Exchange vulnerabilities have been used in the wild.
Previously the NSA has chosen not to disclose certain vulnerabilities so that it could use them in its own espionage and intelligence operations. However, in 2017 state-sponsored hackers stole the EternalBlue exploit from the agency’s cyber-arsenal and months later it was used to carry out the global WannaCry ransomware attack.
The NSA’s decision to inform Microsoft of the new Exchange vulnerabilities suggests it decided that keeping them to itself posed a greater risk to US and US-allied organisations.