FBI Agents Secretly to Delete Malicious Web Shells From Hacked Microsoft Exchange Servers


The US Department of Justice (DoJ) announced Tuesday that FBI agents carried out a court-ordered cyber operation to remove malicious web shells from hundreds of previously compromised Microsoft Exchange servers in the United States, unbeknownst to their owners.

Following a rash of big in-the-wild zero-day attacks against Exchange Server installations in January, smart organisations scrambled to secure insecure Microsoft email servers and uninstall attacker-installed web shells.

Attackers were able to exploit a series of vulnerabilities to gain access to on-premises Exchange servers, allowing them to access email accounts and install additional malware to encourage long-term access to victim environments, according to Microsoft.

Unfortunately, several businesses were unable to repair their systems and/or uninstall the malware that had been mounted.

The FBI “removed one early hacker group’s remaining web shells that may have been used to retain and escalate ongoing, unauthorised access to U.S. networks” in what appears to be the first documented operation of its kind.

According to court records, FBI agents deleted the web shells by sending a command to the server through the web shell, instructing it to uninstall only the web shell (identified by its unique file path).

“Because each of the web shells removed by the FBI had a specific file path and name, they could have been more difficult for individual server owners to identify and delete than other web shells,” the Department of Justice explained.

Though FBI agents copied and deleted web shells that gave attackers backdoor access to servers, businesses could still be vulnerable.

The Justice Department claims that “this activity was effective in copying and deleting certain site shells.” “However, it did not fix any zero-day vulnerabilities in Microsoft Exchange Server, nor did it check for or uninstall any additional malware or hacking tools that hacking groups might have installed on victim networks by leveraging the web shells.”

Though Microsoft initially blamed the attacks on China-linked HAFNIUM threat actors in January, several hacking groups quickly followed after the Exchange vulnerabilities were made public.

HAFNIUM mainly targets organisations in the United States, including infectious disease researchers, law firms, higher education institutions, defence contractors, policy think tanks, and non-governmental organisations (NGOs).

With the majority of the work completed, the FBI is now attempting to contact the owners or managers of the machines from which the site shells were removed.

Organizations that believe their Microsoft Exchange Server is still compromised should seek assistance from their local FBI Field Office.

The names of the companies and organisations involved in the operation, as well as their IP addresses, were redacted from publicly accessible court records.

The operation’s discovery coincides with the patching of four additional critical security vulnerabilities in Exchange Server as part of this month’s Patch Tuesday package. Because of the seriousness of the additional problems, Microsoft joined up with the National Security Agency (NSA) of the United States to push for the latest patches to be deployed immediately.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.