FBI removes web shells from compromised Exchange servers

FBI removes web shells from compromised Exchange servers

Authorities step in to thwart attacks leveraging the recently-disclosed Microsoft Exchange Server vulnerabilities

The United States’ Federal Bureau of Investigation (FBI) has carried out a court-approved operation to “copy and remove” malicious web shells from hundreds of systems across the US that were compromised through the mass exploitation of zero-day flaws in Microsoft Exchange Server earlier this year.

The Department of Justice (DoJ) said that many IT admins have since cleansed their systems of the malicious web shells, which were used for backdoor access to the servers. However, other systems “persisted unmitigated”, which is where the operation came in.

“This operation removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks. The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path),” said the DoJ. In the meantime, the Bureau is contacting the owners of the computers that they accessed to notify them of the removal of the malware.

The move came after Microsoft disclosed a large-scale campaign exploiting security loopholes in internet-facing Microsoft Exchange servers. The vulnerabilities, which were patched via an out-of-band update, were being exploited to access servers running on-premises versions of the software and allowed threat actors to steal emails, download data, and compromise th ..