FBI Removes Web Shells from Infected Exchange Servers

The US authorities sought a court order to remove web shells running on hundreds of Microsoft Exchange servers, following mass exploitation of vulnerabilities patched in March, it has emerged.

The Department of Justice (DoJ) announced the move yesterday, explaining that although system owners managed to remove thousands of malicious scripts from their infected servers, hundreds persisted.

Although the attacks started as early as January, one report claimed that as many as 30,000 US Exchange Server customers may have ultimately been impacted by the compromise, as various groups piled in once the bugs were made public a couple of months later.

Web shells were installed onto the infected machines to achieve a persistent backdoor for attackers to return to, and used to deploy additional malware such as ransomware and coin miners.

According to the DoJ, the FBI issued a command through each remaining web shell to the affected server, causing it to delete the offending script, which was identified by its unique file path.

However, the notice warned victims of the attacks that the court-authorized action did not extend to patching the Exchange Server vulnerabilities or finding and removing any additional malware or hacking tools that may have been placed on endpoints.

The FBI is currently in the process of contacting those whose machines it has scrubbed of web shells, either directly or via their ISP or other service provider.

However, Rick Holland, CISO at Digital Shadows, warned that the risk of reinfection is high for those who’ve so far been unable to remove their web shells.

“The speed with which the FBI conducts the victim notification is critical. The FBI only removed the web shells, not the software vulnerabilities themselves. Chinese actors will no doubt have already set up additional ways to maintain persistence in their victim networks. We will see a ‘gold rush’ of other malicious actors seeking to reinfect the unpatched Exchange servers,” he argued.

“The FBI notification process itself provides actors an opportunity to target new victims. Bad actors can set up a phishing lure that purports to be from a legitimate FBI address to social engineer their targets.”

What’s Hot on Infosecurity Magazine?