FBI Removing Web Shells From Infected Exchange ServersRemediation Effort at Organizations in at Least 8 States May Be First of Its Kind in the US
A federal court in Texas gave the FBI the go-ahead to remove malware from on-premises Microsoft Exchange servers at organizations infected in a wave of voluminous zero-day attacks earlier this year, the Department of Justice said on Tuesday.
Since Friday, the FBI has been removing web shells, or scripts that allow remote access, from Exchange servers belonging to organizations in at least eight states, according to an unsealed application for a search warrant released by the DOJ. The operation is authorized to run through April 23.
How Widespread Is FBI Action?
The search warrant application was approved by the U.S. District Court for the Southern District of Texas in Houston. It's unclear how many organizations the FBI aims to remediate, because that figure is redacted in the search warrant application. But law enforcement agencies may have known which servers had problems from a list of hacked Exchange servers that emerged in early March (see: List of Hacked Exchange Servers May Boost Recovery Efforts).
The FBI undertook the action without the knowledge of those systems' owners, although it is attempting to contact those organizations. Experts say it may be the first time a court has authorized such an action in the U.S. It was made possible after a change in 2016 to Rule 41, which is part of the Federal Rules of Criminal Procedure, says Alexander Urbelis, a partner at the Blackstone Law Group in New York and former acting CISO for the U.S. National Football League.
The change to Rule 41 was intended to help the government battle botnets and remove procedural hurdles for cases involving child pornography online where the location of the perpetrators may not be known. It allows investigators to access computers outside of a jurisdiction where a search warrant is granted and also to remotely remove malicious code from a victim's machine, Urbelis says.
Computer crime laws prevent anyone from modifying a computer without explicit permission from that computer's owner. But experts have floated the idea of cleanup actions as a way to remediate large-scale infections, such as botnets. The idea is fraught with liability concerns, however, such as what to do if a well-meaning action taken by a third party without permission ends up damaging a computer.
Other countries have undertaken interventions. In 2010, the Netherlands uploaded a program to computers worldwide notifying people that their machines had been infected by the Bredolab botnet. The program redirected web browsers to a website set up by police.
As many as 68,000 Exchange servers may have been infected worldwide in a vigorous wave of attacks that started in late February. It's suspected that information related to four zero-day vulnerabilities likely leaked, which resulted in so many infections ahead of an emergency patch release by Microsoft on March 2 (see: How Did the Exchange Server Exploit Leak?).
Microsoft attributed the initial exploitation activity to a group it calls Hafnium, which it believes operates out of China. But security companies quickly noticed other groups taking advantage of the vulnerabilities leading up to the patch release.
Microsoft has released tools and scripts to detect web shells and other signs of infection. But even if organizations have patched Exchange, they remain at risk unless the web shells, which could be used to plant more malware, are removed. It appears that is of heightened concern to U.S. authorities.
Meanwhile, on Tuesday, Microsoft issued patches for four new critical vulnerabilities in the on-premises Exchange Server software. The flaws were discovered by the U.S. National Security Agency (see: Microsoft Patches 4 Additional Exchange Flaws).
The FBI's move is being cautiously praised given the severity of issues with Exchange. It appears to be the first time the U.S. government has taken an action like this, says Steven Adair, CEO and founder of Volexity. Adair's company was one of the first to detect threat actors exploiting one of the Exchange zero-day flaws around Jan. 3.
"If this operation removed all of the web shells from a compromised and patched Microsoft Exchange server, this really could have tremendously helped these organizations and prevented unknown damage from occurring," Adair says. "It is surprising, in a good way, to see this turn of events."
But for organizations that haven't patched, it's unclear how long the benefit of the FBI removing a web shell will last. If an organization hasn't patched, it means another threat actor or group could easily take over the server again and plant malware.
"It's good to see action taken to help organizations that haven't yet acted to defend themselves," tweets Katie Nickels, director of intelligence for the security firm Red Canary. But, she writes, "I'm also cautious that this could set a precedent that could have unintended consequences in the future. Still thinking."
There are continuing worries that many organizations have neither patched nor removed web shells. Included in the unsealed documents is an affidavit from an FBI special agent who cites the justification for the intervention.
"Most of these victims are unlikely to remove the remaining web shells because the web shells are difficult to find due to their unique file names and paths or because the victims lack the technical ability to remove them on their own," the agent writes.
The search warrant allows the FBI to access the web shells, enter the password for a web shell, make an evidentiary copy of a web shell and then issue a command to delete a shell. The FBI, however, only removed the web shells and did not patch the Exchange servers, the DOJ says.
The FBI also did not remove any other malware or hacking tools that an attack group may have installed. It is trying to warn affected organizations, sending emails to them as well as to their ISPs in hopes of making contact.
Urbelis says the FBI's actions are well intentioned and proactive, and organizations are unlikely to complain about them. But they raise privacy, civil liberties and cybersecurity issues, such as possible unintended consequences.
"As minor as it is, it's still a federal government law enforcement agency paternalistically accessing private servers and altering private data without any notice to the data controllers whatsoever," Urbelis says. "The notice here is all after the fact, and that is a major problem."
For example, the web shells identified for cleanup could actually be honeypots intentionally set up to gather information on threat actors, Urbelis says. Or a web shell flagged for removal could be booby-trapped to deploy ransomware if it is tampered with.
"I don’t trust the code of foreign adversaries to do what it appears it is designed to do," Urbelis says.