A court-approved FBI operation was conducted to remove web shells from compromised US-based Microsoft Exchange servers without first notifying the servers’ owners.
On March 2nd, Microsoft released a series of Microsoft Exchange security updates for vulnerabilities actively exploited by a hacking group known as HAFNIUM.
These vulnerabilities are collectively known as ProxyLogon and were used by threat actors in January and February to install web shells on compromised Exchange servers. These web shells provided remote access to the servers where threat actors used them to exfiltrate email and accounts credentials.
Over the following weeks, government agencies released guidance, and Microsoft released a variety of scripts and tools to help victims determine if they had been compromised and remove web shells.
Simultaneously, other threat actors began using the Microsoft Exchange vulnerabilities to install ransomware, cryptominers, and further web shells.
FBI uses search warrant to remove web shells
In a Department of Justice press release published today, the FBI states they used a search warrant to access the still-compromised Exchange servers, copy the web shell as evidence, and then remove the web shell from the server.
The FBI requested this warrant because they believed that the owners of the still-compromised web servers did not have the technical ability to remove them on their own and that the shells posed a significant risk to the victim.
“Based on my training and experience, most of these victims are unlikely to remove the remaining web shells because the web shells are difficult to find due to their unique file names and paths or because these victims lack the technical ability to remove them on their own,” the FBI stated in an affidavit in support of a search warrant.
As there was concern that notifying the owners of these servers could compromise the operation, the FBI requested that the warrant be sealed and that notification of the warrant be delayed until the operation was finished.
“Accordingly, the United States requests approval from the Court to delay notification until May 9, 2021, 30 days from the first possible date of execution on April 9, 2021, or until the FBI determines that there is no longer need for delayed notice, whichever is sooner,” the affidavit requested.
They further requested permission to search at any time of the day to avoid detection by threat actors.
“Because accessing such computers at all times will allow the government to minimize the likelihood of the actors’ detection and deployment of countermeasures that could frustrate the authorized search, good cause exists to permit the execution of the requested warrant at any time in the day or night,” states the affidavit.
To clean the identified Microsoft Exchange servers, the FBI accessed the web shell using known passwords utilized by the threat actors, copied the web shell as evidence, and then executed a command to uninstall the web shell from the compromised server.
“FBI personnel will access the web shells, enter passwords, make an evidentiary copy of the web shell, and then issue a command through each of the approximately web shells to the servers to delete the web shells themselves,” the FBI explained in the affidavit.
A court in Houston granted the search warrant on April 16th and permitted the FBI to remove web shells from the listed Exchange Server over the next 14 days. The court also allowed the FBI to delay providing notice to the Exchange Servers’ owners being searched.
The DOJ press release states that the FBI operation was successful and that they could remove hundreds of web shells from compromised US Exchange Servers.
However, the FBI states that the operation only removed web shells and did not apply security updates or remove any other malware that threat actors may have installed on the server.
The FBI is now in the process of notifying victims whose Exchange servers were accessed during the operation. The FBI will send these notifications via email from an official FBI.gov email account, or if contact information is not available, by using a service provider (ISP) to contact the victim.