Last week the US Department of Justice revealed how the FBI had worked to remove malicious web shells from hundreds of computers in the United States that were running vulnerable versions of Microsoft Exchange Server. While the move will have helped keep many organisations secure, it has also raised questions about the direction of cybersecurity.
Earlier this year, four zero-day vulnerabilities in Microsoft Exchange Server, which were being actively exploited by a nation-state-backed hacking operation, were uncovered. Microsoft released a critical security update to protect Exchange Server customers from cyberattacks exploiting the vulnerabilities in March, but a significant number of organisations have yet to apply the security patch.
This leaves them vulnerable to cyberattacks from a range of online attackers including nation-state groups, ransomware gangs, cryptojackers and other cyber-criminal groups that have rushed to exploit the Exchange vulnerabilities.
The attackers exploit the vulnerabilities to place web shells – scripts and codes that enable remote administration privileges – that allow continuing unauthorised backdoor access for cyber espionage and other malicious activity. It was these web shells that the FBI launched an operation to remove.
Hundreds of unmitigated web shells have been identified and removed from hundreds of systems – to such an extent that the Department of Justice says it has removed one hacking group's remaining web shells entirely.
"This operation is an example of the FBI's commitment to combating cyber threats through our enduring federal and private sector partnerships," said Tonya Ugoretz, acting assistant director of the FBI's cyber division.
"Our successful action should serve as a reminder to malicious cyber actors that we will impose risk and consequences for cyber intrusions that threaten the national security and public safety of the American people and our international partners," she added.
Action was taken because of the threat the web shells posed to the organisations. The FBI says it's attempting to provide notice to all of the organisations from which it has removed web shells, which means that the agency accessed the systems without their knowledge.
Even if the intent was good – in short, helping to protect the businesses by removing the access of cyber attackers, and authorised by the courts – this is a significant step by law enforcement.
"The effort by the FBI amounts to the FBI gaining access to private servers. Just that should be a full stop that the action is not OK," says David Brumley, professor of electrical and computer engineering at Carnegie Mellon University and co-founder and CEO of ForAllSecure, a cybersecurity company.
"While I understand the good intention – the FBI wants to remove the backdoor – this sets a dangerous precedent where law enforcement is given broad permission to access private servers."
In this case, accessing the networks was deemed appropriate by the courts in order to remove backdoors planted by malicious hackers and to protect the organisations from cyberattacks – but Brumley fears what he described as a "slippery slope".
"We don't want a future where the FBI determines someone may be vulnerable, and then uses that as a pretext to gain access. Remember: the FBI has both a law enforcement and intelligence mission. It would be the same as a police officer thinking your door isn't locked, and then using that as a pretext to enter," he says.
But there are also those who believe that the FBI's actions in entering networks and removing web shells from compromised Microsoft Exchange servers was the right thing to do, especially when organisations are fighting a cyber battle against attackers that are much more highly resourced than they are.
"I believe this involvement by the FBI is seen as much appreciated from the private sector when it comes to protecting against nation-state attacks. Right now it is as if the private sector is fighting these nation-state attacks with one hand tied behind our backs, especially when our adversaries are pulling no punches," says Troy Gill, threat hunter and manager at security company Zix.
"We will continue to see more government involved when it comes to mitigating vulnerabilities."
Other security agencies are helping organisations secure their networks against the Microsoft Exchange vulnerabilities – but not by accessing the network without anyone knowing about it first. For example, the UK's National Cyber Security Centre (NCSC) has helped removed malware related to Exchange zero-days from over 2,300 Windows machines.
This was done in partnership with the affected organisations; and the NCSC doesn't have the powers to enter the networks of private businesses to fix vulnerabilities.
The NCSC is also actively working with organisations to help them apply the necessary security updates to protect the network from cyberattacks. And while the FBI has removed the malicious web shells, it hasn't patched any Microsoft Exchange Server zero-day vulnerabilities or removed any additional hacking or malware tools that could've been placed on networks by attackers.
That means that as long as they haven't applied the patches or examined the network for potentially suspicious activity, businesses that had web shells removed from their networks are still vulnerable to additional attacks – and especially if they're still unaware that the FBI entered the network to remove the web shells in the first place.
SEE: Network security policy (TechRepublic Premium)
"The FBI initiative to remove web shell code from compromised Microsoft Exchange servers may be regarded as an important milestone in fighting cybercrime. However, while this operation removes attackers' access to these vulnerable servers, it doesn't immediately improve their security," explains Bob Botezatu, director of threat research and reporting at Bitdefender.
"The removal of the web shell does not affect the operation of additional malware that might have been planted on the server post-compromise and also does not patch the root issue, so attackers could easily re-exploit the vulnerable server and regain web shell access to it".
A joint advisory from the FBI and CISA (Cybersecurity & Infrastructure Security Agency) has urged organisations to apply the relevant security patches and other procedures to protect their networks from attacks – but until the patches are applied, the servers are still going to remain vulnerable to cyberattacks.
So while entering networks with the permission of the courts allowed the FBI to remove the immediate threat of web shells, many organisations may still not know if their network was accessed by the FBI in the first place. The debate between cybersecurity, rights to access, privacy, and whether it was the right thing to do to protect vulnerable organisations against cyberattacks is going to rumble on.
"Some people may be very uneasy about this and feel that a dangerous precedent has been set. Should governments really be permitted to access and manipulate corporate computer systems, even if the reasons for doing so are ostensibly altruistic?" says Brett Callow, threat analyst and Emsisoft.
"That said, the action undoubtedly avoided harm as, without it, more organizations would almost certainly have been further compromised. This is really one of those cases where you can understand why something was done and see the benefits of it having been done, but nonetheless wonder whether it should've been done," he adds.
Whether it should have been done or not, the incident sets a precedent – and the FBI could take similar action again.
"The FBI will continue to use all tools available to us as the lead domestic law enforcement and intelligence agency to hold malicious cyber actors accountable for their actions," said acting assistant director Ugoretz.
Microsoft was approached for comment but a spokesperson said the company had nothing to add.
MORE ON CYBERSECURITY
- SolarWinds: US and UK blame Russian intelligence service hackers for major cyber attack
- Congress confronts US cybersecurity weaknesses in wake of SolarWinds hacking campaign
- Cybersecurity: How to get your software patching strategy right and keep the hackers at bay
- Most applications today are deployed with vulnerabilities, and many are never patched
- Supply chain security is actually worse than we think