FBI Operation Remotely Removes Web Shells From Exchange Servers

FBI Operation Remotely Removes Web Shells From Exchange Servers
A court order authorized the FBI to remove malicious Web shells from hundreds of vulnerable machines running on-premise Exchange Server.

A court order has authorized an FBI operation to remove Web shells deployed on machines running on-premises versions of Microsoft Exchange Server, the Justice Department reports.


As part of the operation, which authorized the activity for email servers in the United States, the FBI copied and removed "one early hacking group's remaining web shells" from affected targets. The Web shells could have been used to maintain and increase unauthorized access to networks if left on the compromised machine, say officials, who call the operation "successful."


News of the operation arrives roughly six weeks after Microsoft disclosed critical Exchange Server flaws that have since been used to target thousands of networks around the world. An attacker could leverage the vulnerabilities to break into an unpatched server and steal its data.


At the time it released patches, Microsoft identified one group behind the activity as Hafnium, a state-sponsored group operating out of China. However, many more groups have also begun to use these vulnerabilities to deploy ransomware or cryptomining attacks, among other activity.


Many organizations rushed to patch the bugs: On March 24, Microsoft reported 92% of global Exchange IPs had been patched. But while applying a patch will prevent future compromise, it won't remove malicious code already present on a machine. Court documents unsealed today cite open source reporting that states there may be at least ..