The FBI deleted web shells installed by criminals on hundreds of Microsoft Exchange servers across the United States, it was revealed on Tuesday.
The Feds were given approval by the courts to carry out the deletions, which occurred without first warning the servers’ owners, following the discovery and exploitation of critical vulnerabilities in the enterprise software.
Shortly after Microsoft raised the alarm early last month over the security holes in Exchange and provided fixes for the vulnerabilities, miscreants swarmed to exploit the programming blunders and hijack unpatched installations. (Certain groups were even breaking in Exchange servers via the holes before their existence was public knowledge.)
The FBI found hundreds of such compromised deployments with backdoors installed by one cyber-gang in particular, leading to agents asking the courts to allow them to go in and delete the malicious code. The court approved the action and the document was unsealed this week, 30 days later.
“Although many infected system owners successfully removed the web shells from thousands of computers, others appeared unable to do so, and hundreds of such web shells persisted unmitigated,” the Justice Department noted in an announcement. “Today’s operation removed one early hacking group’s remaining web shells, which could have been used to maintain and escalate persistent, unauthorized access to US networks.”
The FBI deleted the shells by issuing a command through the web shell to the server “which was designed to cause the server to delete only the web shell (identified by its unique file path),” it said. Critically, however, the Feds did not touch the servers themselves and so they remain unpatched and open to infiltration.
What I very much like about this is that they got a court order approving the behaviour before going out and doing it.