The FBI has executed a court-authorized operation to remove malicious backdoor web shells from hundreds of Microsoft Exchange email servers targeted in the recent spate of attacks.
The attacks exploited four zero-day vulnerabilities in Microsoft Exchange, collectively referred to as the ProxyLogon vulnerabilities, that were first exploited by Chinese state-sponsored threat actors known as Hafnium. Even conservative estimates by security experts such as ESET pinned the number of compromised servers at over 5000.
According to reports, this is perhaps the first instance of the FBI sanitizing private servers in the aftermath of a cyberattack.
- These are the best endpoint protection tools
- Check our list of the best firewall apps and services
- Here’s our collection of the best disaster recovery services
Backdoor removal
“This court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable computers shows our commitment to use any viable resource to fight cyber criminals,” said Acting U.S. Attorney Jennifer B. Lowery of the Southern District of Texas.
The FBI is now trying to contact the owners of the servers that it has cleaned to inform them about the court-authorized operation.
Utilities such as Microsoft’s one-click tool helped ensure a majority of the servers, several at small business that lack dedicated IT and security teams, could also plug the vulnerabilities.
However, security researchers soon discovered that the attackers had left web shells to return to the compromised systems for future actions.
Discovering and removing the web shells isn’t as simple as applying a patch, which prompted the FBI to act.
“The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path),” explains the Justice Department note.
- Protect your devices with these best antivirus software
Via: TechCrunch
