Court Authorizes FBI to Remove Web Shells from Compromised Microsoft Exchange Servers
On April 13, 2021, the U.S. Department of Justice (“DOJ”) announced that the Federal Bureau of Investigation (“FBI”) executed a court-authorized removal of malicious web shells from hundreds of vulnerable computers in the U.S.
Earlier this year, hacking groups exploited vulnerabilities in Microsoft Exchange Server software to access e-mail accounts and install web shells on victim computers for continued, unauthorized access to U.S. networks. While many affected system owners were able to successfully remove the web shells from thousands of computers, hundreds of web shells remained. The FBI’s operation removed the remaining web shells by issuing a command through the web shells to the server, which was designed to cause the server to delete only the web shells. According to Acting U.S. Attorney Jennifer B. Lowery of the Southern District of Texas, “Combatting cyber threats requires partnerships with private sector and government colleagues. This court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable computers shows our commitment to use any viable resource to fight cyber criminals.”
According to the DOJ, the FBI is attempting to provide notice of the court-authorized operation to all owners or operators of the computers from which the FBI removed the hacking group’s web shells. For those owners and operators with publicly available contact information, the FBI will send an e-mail message from an official FBI e-mail account (@FBI.gov) notifying the owner or operator of the search. For those owners and operators whose contact information is not publicly available, the FBI will send an e-mail message from the same FBI e-mail account to providers (such as an owner or operator’s ISP) who are believed to have the contact information and ask them to provide notice to the owner or operator.
For more information, see the DOJ’s press release.