A press release Monday revealed the existence of an FBI operation that tried to stop attacks by the Hafnium group and others on Microsoft Exchange servers earlier this year. While fixes and mitigations have addressed the problem for many people, there were still a number of servers that remained exposed where attackers installed web shells to continue their remote access. Federal agencies say these shells may have been difficult for some administrators to identify and remove themselves.
The FBI targeted Hafnium shells in particular (as described in the lawsuits) because it identified them on the server, the United States, accessing them remotely using the attacker’s own passwords and executing a command to delete them. , thwarting the group’s plans. The search warrant requested by the FBI allowed him to perform this operation and delayed notifying the server administrators. He received permission on April 9 to perform the operation for up to 14 days, along with permission to delay notifications for up to 30 days.
According to the Ministry of Justice, “This operation was successful in copying and removing these web shells. However, it does not fix any vulnerabilities on day zero of Microsoft Exchange Server, or it searches for or removes additional malware or hacking tools that hacker groups may have placed on victims’ networks using web shells. “
The FBI now says it is sending emails to server owners and “trying to send a court-sanctioned notice to all owners or operators of the computers from which it has removed the hacker’s web wrappers.” Although we know of no precedent for the FBI to take action against private servers after your attack, Cable reporter Kim Zeter points out how he dealt with the Coreflood botnet in 2011 by sending a command to an infected machine to shut it down, also by court order. The Ministry of Justice and Microsoft did not comment on the operation publicly after the statement.