The FBI executed a court-authorized operation to copy and delete malicious web shells from hundreds of vulnerable systems in the U.S. that were running Microsoft Exchange Server software.
The Unpatched Flaws
Microsoft Exchange Server software provides enterprise-level email services to organizations globally. Multiple state-sponsored cybercriminal groups like Hafnium and DearCry exploited zero-day vulnerabilities in Microsoft Exchange Server software between January and February 2021. Threat actors deployed web shells and malicious scripts to gain continued remote access to email systems. Cybersecurity experts found a massive amount of information being transferred from the compromised Exchange servers to unknown IP addresses.
However, Microsoft released fixes in March 2021 to address the four critical Zero-day vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) and three other vulnerabilities (CVE-2021-27078, CVE-2021-26854, and CVE-2021-26412) in its Microsoft Exchange servers and urged organizations and users to apply them as early as possible.
“Many infected system owners successfully removed the web shells from thousands of computers. Others appeared unable to do so, and hundreds of such web shells persisted unmitigated. This operation removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks,” the DoJ said.
Removing the Malicious Web Shells
Ever since the Exchange flaws were disclosed, Microsoft and other industry experts released security updates, detection tools, and other preventive measures to assist victim organizations to protect against the series of cyberattacks. Even the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory to provide enterprises guidance on detecting, protecting, and remediating against this malicious activity.
The FBI removed the web shells on hundreds of servers by issuing a command through the web shell to the server. This command is specially crafted to make the server delete only the web shell by identifying its unique file path. However, this operation did not fix any Microsoft Exchange Server zero-day vulnerabilities or remove any additional malware that threat actors may have deployed on victim networks by exploiting the web shells.
“This court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable computers shows our commitment to using any viable resource to fight cybercriminals. We will continue to do so in coordination with our partners and with the court to combat the threat until it is alleviated, and we can further protect our citizens from these malicious cyber breaches,” said Acting U.S. Attorney Jennifer B. Lowery of the Southern District of Texas.
