Americas, Content

FBI Removes Web Shells From Infected Microsoft Exchange Servers

Federal law enforcement, toting a court order, excised malicious web shells from hundreds of exposed servers in the U.S. compromised by the fleecing of zero day flaws in Microsoft Exchange Server carried out at the year’s outset by a Chinese-backed hacking syndicate.

  • Note: A web shell is malicious code written in typical web development programming languages that hackers implant on web servers for remote access and to run commands on servers to remain in an infected organization’s network. Attackers install web shells on servers by exploiting security gaps.
  • Recap: In the first two months of 2021, the Hafnium China-sponsored syndicate exploited zero-day vulnerabilities in Microsoft Exchange Server to access email accounts and place web shells that allowed the hackers to persist in victims’ networks. Other hacking groups have subsequently attacked these vulnerabilities to install web shells on thousands of victim computers in the U.S.

While Justice Department officials acknowledged that “many infected system owners” had successfully removed the web shells from thousands of computers, many systems infiltrated by the malicious code remained. The Federal Bureau of Investigation (FBI) conducted an operation to remove the web shells by executing a command through the web shell to the server through which the server deleted only the web shell as identified by its unique file path.

Success and Caution

Even as Justice called the FBI’s operation a success--it captured one early hacking group’s remaining web shells, which could have been used as a backdoor to U.S. networks--the law enforcement agency cautioned that other than the web shells it did not search for or find any additional malware on victim networks nor did it install any patches. It urged network administrators to consult Microsoft’s remediation guidance and the March 10 joint advisory by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) for further guidance on detection and patching.

The FBI said it will notify all owners or operators of the computers from which it removed the hacking group’s web shells.

John Demers, Assistant Attorney General for the Justice Department’s National Security Division, said the public and private sector’s collaboration has been instrumental in disrupting the hackers. “Today’s court-authorized removal of the malicious web shells demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions,” Demers said. “Combined with the private sector’s and other government agencies’ efforts to date, including the release of detection tools and patches, we are together showing the strength that public-private partnership brings to our country’s cybersecurity," he said.

Alternative View

However, praise for the FBI's web shell action didn't come without criticism. “The FBI initiative is more of an FBI takeover," said Saryu Nayyar, security provider Gurucul's chief executive. "While the move may be well intentioned, it certainly seems like the companies targeted by the FBI should have been informed of this broad act of malware removal," she said. Still, the FBI's operation to help companies beset by the Exchange Server exploit remove malicious code from their systems is a "much kinder impact than allowing attackers to run amuck in the network.” said Nayyar.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.