Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

FBI Blasts Away Web Shells on US Servers Without Telling Owners

April 15, 2021

ZDNet reported on April 14 that the Department of Justice revealed on April 13 that the FBI had received authorization from a court to remove web shells installed on compromised servers related to the Exchange vulnerabilities.

“Many infected system owners successfully removed the web shells from thousands of computers. Others appeared unable to do so, and hundreds of such web shells persisted unmitigated,” the department said.

“This operation removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to US networks.”

Despite the operation, entities that run Exchange servers should still follow Microsoft’s advice as well as to ensure servers are properly patched.

“The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path),” the department said.

“This operation was successful in copying and removing those web shells. However, it did not patch any Microsoft Exchange Server zero-day vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks by exploiting the web shells.”

Due to each shell having a unique file path and name, the department added it may have been difficult for “individual server owners” to find and remove them. As of the end of March, the department was aware of “hundreds” of shells still working on US servers. Microsoft released its first alerts on the vulnerabilities at the start of March.

If you were running an Exchange server in the United States, it could have been compromised, and somewhat mitigated by the FBI without your knowledge.

The FBI is trying to alert server owners that it removed shells from. Affected users with publicly available contact information will receive an “e-mail message from an official FBI e-mail account (@FBI.gov) notifying the victim of the search”, and failing that, ISPs will be contacted to provide notice.

“Today’s court-authorized removal of the malicious web shells demonstrates the department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions,” Assistant Attorney General for national security John C. Demers said.

On March 24, Microsoft said 92% of vulnerable servers were patched or mitigated.

Does it unnerve anyone else that the government can go into privately-owned servers, even with good intentions, without prior notice?

Sharon D. Nelson, Esq., PresidentSensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email:  Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson