FBI gained access to any computer in the US to eliminate Microsoft Exchange hacks

On Tuesday, the US Department of Justice issued a statement that the FBI (Federal Bureau of Investigation) has been granted permission to access hundreds of computers in the United States running vulnerable versions of Microsoft Exchange Server software in order to remove web shells left behind by previously infiltrating software. hackers.

This event demonstrates one of a number of the most proactive steps that law enforcement agencies can take when faced with large-scale hacker operations and their victims who are unwilling or unable to quickly eliminate the vulnerability of their systems.

In short, the FBI obtained permission to remotely access computers in order to remove artifacts from an early major hacking operation to prevent further access to these machines by hackers.

“The Department of Justice today announced a court-sanctioned operation to copy and remove malicious web shells from hundreds of vulnerable computers in the United States running local versions of Microsoft Exchange Server software used to provide enterprise-grade email services,” the ministry said in a statement. …

The move is in response to a series of hacker attacks earlier this year that exploited vulnerabilities in Microsoft Exchange Server. Several hacking groups have used these security flaws to compromise Exchange servers, in some cases aiming to steal the victim’s emails. A well-known Chinese hacker group suspected of these attacks outpaced other attackers by infiltrating tens of thousands of Exchange servers. In this case, the FBI “removed the remaining web shells of one early hacking group that could have been used to maintain and expand permanent unauthorized access to US networks,” the official statement said.

“The FBI carried out the removal of the software by sending a command to the server through the web shell, which was to force the server to remove only the web shell (identified by its unique file path),” the statement said.

A web shell is essentially an interface that hackers have discovered to communicate with a vulnerable system in the future. The FBI’s actions did not include fixing underlying systems or removing any other additional malware, it said in a statement.

“By deleting these web shells, the FBI will prevent attackers from accessing the server through the web shell, as well as installing additional malicious programs on them,” the court records, published along with the statement, said. The documents clarify that the affected servers appear to be located in five or more judicial districts, including the Southern District of Texas, the District of Massachusetts, the Northern District of Illinois and the Northern District of Virginia.

The FBI also took evidence from the servers themselves and used passwords, the document clarifies.

“FBI officers will access the web shells, enter passwords, make a copy of the web shell as physical evidence, and then issue a command through each one,” the documents say.

Assistant Attorney General John C. Demers of the Department of Homeland Security at the Justice Department said in a statement that “today’s court-sanctioned deletion of malicious web shells demonstrates the Department’s commitment to curbing hacking with all of our legal tools, not just prosecution.”

“Together with the private sector and through the efforts of other government agencies, including the release of detectors and patches, we are demonstrating the power that public-private partnerships bring to our country’s cybersecurity. There is no doubt that we still have a lot to do, but let there be no doubt that the Department intends to play its integral and necessary role in such efforts, ”he added.

The announcement says the FBI is taking steps to inform all owners of affected computers about the operation. In a court document released with the statement, Acting US Attorney Jennifer B. Lowry wrote that “remote access will allow the government to make reasonable efforts to notify some victims of an ongoing search.”

In 2016, the Department of Justice amended the rules governing the search procedure, allowing justices of the peace to sign warrants to search computers outside of their district. This was due to investigations on the darknet, where the physical location of a malware object may not be known to law enforcement agencies, as well as with the aim of combating botnets.

A Microsoft spokesman declined to comment. On Tuesday, the NSA posted a post on Microsoft’s Twitter account advising users to install new security patches, including those related to Exchange Server vulnerabilities.

Our servers can be used to install any control panel.
Register using the link above or by clicking on the banner and get a 10% discount for the first month of renting a server of any configuration!