Published in News

Untouchables touch Microsoft Exchange servers

by on19 April 2021

Remove zero day flaw

America's top law enforcement agency obtained a court order that allowed it to remove a backdoor program from hundreds of private Microsoft Exchange servers that were hacked through zero-day vulnerabilities earlier this year.

The Department of Justice announced that the FBI was granted a search and seizure warrant by a Texas court that allows the agency to copy and remove web shells from hundreds of on-premise Microsoft Exchange servers owned by private organisations.

A web shell is a type of program that hackers install on hacked web servers to grant them backdoor access and remote command execution capabilities on those servers through a web-based interface.

The warrant targeted web shells installed by a cyberespionage group, dubbed Hafnium, that is believed to have ties to the Chinese government.

In early March, Microsoft reported that Hafnium exploited previously unpatched vulnerabilities in Microsoft Exchange to compromise servers. Vole released patches for those vulnerabilities and indicators of compromise and other detection tools, but this didn't prevent other groups of attackers from exploiting the vulnerabilities after becoming public.

The FBI argued that despite the public awareness campaigns by Microsoft, CISA and the FBI itself, many servers remained infected with the web shell deployed by Hafnium. While the exact number has been redacted from the unsealed warrant, the DOJ said in a press release that it was "hundreds".

The FBI asked for, and received court approval, to access the malicious web shells through the passwords set by the original attackers and then use that access against the malware itself by executing a command that will delete the web shell, which is essentially an .aspx script deployed on the server.

The FBI was allowed to make a copy of the web shells first because they could constitute evidence.

The warrant states that it "does not authorise the seizure of any tangible property" or the copying or alteration of any content from the servers aside from the web shell themselves, which are identified in the warrant by their unique file paths.

So the FBI was not granted permission to patch the vulnerabilities to protect the servers from future exploitation or to remove any additional malware or tools that hackers might have already deployed.

The FBI sent an email message from an official email account, including a copy of the warrant, to the email addresses associated with the domain names of the infected servers.


Last modified on 19 April 2021
Rate this item
(0 votes)