FBI blasts away web shells on US servers in wake of Exchange vulnerabilities

Feds turn into cyberfirefighters and hose down the web shell bonfire raging on hundreds of unpatched Exchange servers.
Written by Chris Duckett, Contributor

If you were running an Exchange server in the United States, it could have been compromised, and somewhat mitigated by the FBI without your knowledge.

The Department of Justice revealed on Tuesday that the FBI gained authorisation to remove web shells installed on compromised servers related to the Exchange vulnerabilities.

"Many infected system owners successfully removed the web shells from thousands of computers. Others appeared unable to do so, and hundreds of such web shells persisted unmitigated," the department said.

"This operation removed one early hacking group's remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to US networks."

Despite the operation, those that run Exchange servers are still recommended to follow Microsoft's advice as well as ensure servers are properly patched.

"The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path)," it said.

"This operation was successful in copying and removing those web shells. However, it did not patch any Microsoft Exchange Server zero-day vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks by exploiting the web shells."

Due to each shell having a unique file path and name, the department added it may have been difficult for "individual server owners" to find and remove them. As of the end of March, the department was aware of "hundreds" of shells still working on US servers. Microsoft released its first alerts on the vulnerabilities at the start of March.

The FBI is now attempting to alert server owners that it removed shells from. Affected users with publicly available contact information will receive an "e-mail message from an official FBI e-mail account (@FBI.gov) notifying the victim of the search", and failing that, ISPs will be contacted to provide notice.

All fbi.gov emails are genuine: This phishing attack pretends to come from someone you trust

"Today's court-authorized removal of the malicious web shells demonstrates the department's commitment to disrupt hacking activity using all of our legal tools, not just prosecutions," Assistant Attorney General for national security John C. Demers said.

"Combined with the private sector's and other government agencies' efforts to date, including the release of detection tools and patches, we are together showing the strength that public-private partnership brings to our country's cybersecurity.

"There's no doubt that more work remains to be done, but let there also be no doubt that the department is committed to playing its integral and necessary role in such efforts."

On March 24, Microsoft said 92% of vulnerable servers were patched or mitigated.

In Australia, the government's Australian Cyber Security Centre has been running scans to find vulnerable servers in the country.

Related Coverage

Editorial standards