The FBI has shared information about an operation in which it hacks into leaky Exchange servers. The intelligence service removes any web shells that attackers have placed to create a backdoor.
In the announcement of the operation, the FBI said that many owners of infected systems had already successfully removed web shells from thousands of computers. However, the intelligence service saw that hundreds of these web shells were still active. The operation allowed the FBI to remove the remaining web shells from one specific hacking group. The agency also made a copy of the web shells.
Almost all Exchange servers were vulnerable
The operation followed the major security gap which was present in all systems running Exchange Server. An exploit to gain access rights to the vulnerable servers was widely shared in hacker communities, and the servers were hacked at a rapid rate. In many cases, the attackers initially installed a web shell, which served as a backdoor to dig deeper into the systems. Even if administrators had patched the vulnerabilities, the web shells could remain behind.
Only web shells removed
The FBI states that the operation successfully removed these web shells. However, the agency adds that it has not addressed the patching of any vulnerabilities or the removal of other malware that the hackers may have installed. That is why the intelligence service is still strongly advising the administrators of the Exchange servers to take the necessary steps to protect their systems themselves.
Server admins in the dark
It’s believed that this is the first time that the FBI has used its resources to break into vulnerable end-user systems with the aim of protecting them. Presumably, many administrators are unaware that the FBI has been active in their systems. The FBI is trying to contact the administrators, where possible with public contact information. If that information is not available, the intelligence service sends a message to the victim’s internet service provider in the hope that they can forward it.
Many tools for resolving problems available
Microsoft has made a large number of tools available to solve the leaks themselves. Patches have been available for well over a month and Microsoft Defender now has features that can automatically remove malware that has been placed by hackers. Even once the patches are installed and any malware removed, administrators should remain vigilant. Four more critical Exchange Server vulnerabilities were closed during April’s Patch Tuesday.