Federal law enforcement, toting a court order, excised malicious web shells from hundreds of exposed servers in the U.S. compromised by the fleecing of zero day flaws in Microsoft Exchange Server carried out at the year’s outset by a Chinese-backed hacking syndicate.While Justice Department officials acknowledged that “many infected system owners” had successfully removed the web shells from thousands of computers, many systems infiltrated by the malicious code remained. The Federal Bureau of Investigation (FBI) conducted an operation to remove the web shells by executing a command through the web shell to the server through which the server deleted only the web shell as identified by its unique file path.
- Note: A web shell is malicious code written in typical web development programming languages that hackers implant on web servers for remote access and to run commands on servers to remain in an infected organization’s network. Attackers install web shells on servers by exploiting security gaps.
- Recap: In the first two months of 2021, the Hafnium China-sponsored syndicate exploited zero-day vulnerabilities in Microsoft Exchange Server to access email accounts and place web shells that allowed the hackers to persist in victims’ networks. Other hacking groups have subsequently attacked these vulnerabilities to install web shells on thousands of victim computers in the U.S.




