In what appears to be the first action of such kind ever, the FBI removed “web shells” belonging to “one early hacking group,” the DOJ said on Tuesday.
Web shells are malware left on the servers by people who used the zero-day exploit on the popular email server software to gain access to corporate email servers earlier this year.
While thousands of affected web servers have since been patched, hundreds of web shells “persisted unmitigated” because the system owners appeared unwilling or unable to remove them, the DOJ said.
The FBI’s operation was intended to ‘help’ administrators secure their systems and successfully removed the malware from some of these computers. It was authorized as a “search” warrant by Judge Peter Bray, a federal magistrate in the Southern District of Texas. His court order was issued on April 9, but remained sealed until Tuesday.
“Today’s court-authorized removal of the malicious web shells demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions,” said Assistant Attorney General John C. Demers, of the DOJ’s National Security Division.
The FBI only “copied and removed” the web shells, but did not patch any Microsoft Exchange Server vulnerabilities, or search for and remove any additional malware or other information contained on the servers, the DOJ noted.
Another thing that stood out in the DOJ statement was that the owners or operators of the affected computers were not notified of the “search” beforehand.
Instead, the FBI is “attempting to provide notice” by sending an email to those with publicly available contact information – and in cases where it wasn’t available, asking internet service providers (ISP) to forward the message along.
Meanwhile, the White House’s top cybersecurity official directed all government agencies on Tuesday to “urgently” patch their Microsoft Exchange servers, due to four new flaws discovered by the NSA.
The vulnerabilities “may pose such a systemic risk that they require expedited disclosure,” Anne Neuberger said in a statement.
Microsoft announced a massive breach of its Exchange email platform in early March, saying that a zero-day vulnerability in the servers had given “long-term access” to hackers.
The attack was attributed to a group dubbed Hafnium – an allegedly “state-sponsored” outfit operating out of China.
The vulnerability was subsequently exploited by at least 10 hacking groups and affected thousands of servers in over 115 countries, according to the cybersecurity firm ESET. More than 20,000 servers were compromised in the US alone.