IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

FBI shuts down web shells in hacked Exchange servers

Court approves FBI operation to remove web shells from vulnerable Exchange servers

FBI, DOJ badge on a crest

The FBI has used a search warrant to access Exchange servers vulnerable to the ProxyLogon exploit, copy the offending web shells for evidence, and then remove them.

According to the Department of Justice, though many infected system owners successfully removed the web shells from thousands of computers, the Feds moved to close down the shells because “others appeared unable to do so, and hundreds of such web shells persisted unmitigated.”

The FBI said the operation removed one early hacking group’s remaining web shells, which hackers could have used to maintain and escalate continued, unauthorized access to US networks.

The FBI conducted the removal by issuing a command to the server through the web shell that caused the server to delete only the web shell.  Because the web shells the FBI removed each had a unique file path and name, they may have been more challenging for individual server owners to detect and eliminate than other web shells, according to the FBI.

Assistant Attorney General John Demers of the Justice Department’s National Security Division said the the malicious web shells’ court-authorized removal “demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecution”.

“There’s no doubt that more work remains to be done but let there also be no doubt that the Department is committed to playing its integral and necessary role in such efforts,” Demers added.

Ilia Kolochenko CEO, founder, and chief architect at ImmuniWeb, told ITPro this was a wise move given exposed web shells indicate server owners are unaware of the server or grossly negligent by having unpatched and compromised system exposed to the internet.

Hacked servers are actively used in sophisticated attacks against other systems, amplify phishing campaigns and hinder investigation of other intrusions by using the breached servers as chained proxies,” Kolochenko said.

“Thus, arguably, such preventive removal may be considered a legitimate self-defense in cyberspace. In any case, neither hackers nor server owners will probably complain or file a lawsuit for unwarranted intrusion. What is interesting, is whether the FBI later transfers the list of sanitized servers to FTC or state attorney generals for investigation of bad data protection practices in violation of state and federal laws.”

In related news, the Cybersecurity and Infrastructure Security Agency (CISA) has ordered agencies to apply new security patches for vulnerable exchange servers. The updates mitigate significant vulnerabilities that affect on-premises Exchange Servers 2013, 2016, and 2019.

According to CISA, hackers could use these vulnerabilities to access and maintain persistence on the target host. It added the flaws are different from the ones disclosed and fixed in March 2021.

“CISA has determined that these vulnerabilities pose an unacceptable risk to the Federal enterprise and require an immediate and emergency action. This determination is based on the likelihood of the vulnerabilities being weaponized, combined with the widespread use of the affected software across the Executive Branch and high potential for a compromise of integrity and confidentiality of agency information,” a statement read.

Featured Resources

Meeting the future of education with confidence

How the switch to digital learning has created an opportunity to meet the needs of every student, always

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

Technology reimagined

Why PCaaS is perfect for modern schools

Free Download

Recommended

Microsoft reportedly blocks Russian Windows 10 and Windows 11 downloads
Microsoft Windows

Microsoft reportedly blocks Russian Windows 10 and Windows 11 downloads

20 Jun 2022
IT Pro News in Review: UK tech raises $16bn, Microsoft acquires Miburo, largest DDoS attack mitigated
Business strategy

IT Pro News in Review: UK tech raises $16bn, Microsoft acquires Miburo, largest DDoS attack mitigated

17 Jun 2022
Proofpoint details 'dangerous' ransomware flaw in SharePoint and OneDrive
ransomware

Proofpoint details 'dangerous' ransomware flaw in SharePoint and OneDrive

17 Jun 2022
Microsoft silent patches called “a grossly irresponsible policy”
cyber security

Microsoft silent patches called “a grossly irresponsible policy”

15 Jun 2022

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

7 Jun 2022
Swift exit: How the world cut off Russian banks
finance

Swift exit: How the world cut off Russian banks

24 Jun 2022
The top programming languages you need to learn for 2022
Careers & training

The top programming languages you need to learn for 2022

23 Jun 2022