The FBI was given permission last week by the United States Department of Justice (DOJ) to remove web shells that were maliciously placed as a result of the Microsoft Exchange Server vulnerabilities discovered in January. For more information on the Exchange Server vulnerabilities, check out our prior Security Advisory discussing them. If you have not applied the patch yet, it is urgent you do so immediately.
The FBI was able to identify hundreds of remote web shells that persist on networks even if the patch was applied. Attackers placed these shells there knowing the vulnerability would be fixed but wanted to maintain access for future attacks. The DOJ stated, “The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path).” The FBI is currently making attempts to contact the owners of the exchange servers they removed web shells from and notify them of the actions taken. Although the removal of these web shells is great news for the organizations where they existed, the FBI has not applied patches needed to remove the vulnerabilities or any malware remaining from attackers.
The impact of the court order issued to the FBI to allow these actions on future requests is still unknown, but this will set an interesting precedent going forward. Even though the intentions and actions of the FBI were for the betterment of the organizations, the government was accessing private networks without the owner’s permission. This could allow more intervention from the government on private networks. Opinions are split on the matter, but most believe this will not be the last time we see the government taking steps to remove threats on networks they do not own.