Security news that informs and inspires

FBI Uses Warrant to Remove Webshells From Compromised Exchange Servers

In what appears to be an unprecedented action, the FBI last week obtained a warrant that enabled agents to send remote commands to compromised Microsoft Exchange servers that copied, and then deleted, malicious webshells installed on the machines by attackers.

On April 9, the FBI applied for a warrant that was approved by the United States District Court for the Southern District of Texas that enabled bureau specialists to perform the remote deletion of the webshells from an undisclosed number of servers across the country. In the warrant application, the number of servers that the FBI sent commands to is redacted. The webshells the FBI sought to copy and remove are small pieces of code that attackers who exploited the ProxyLogon Exchange vulnerabilities left behind as a means of persistence.

“By deleting the web shells, FBI personnel will prevent malicious cyber actors from using the web shells to access the servers and install additional malware on them,” the warrant application says.

In early March, Microsoft announced that it had identified four previously unknown vulnerabilities in Exchange that were being exploited in the wild. The most serious of the bugs is a server-side request forgery vulnerability that can grant attackers initial access to target servers. Attackers exploiting the bugs were installing webshells on compromised servers in order to maintain persistence. In the application, the FBI said "FBI personnel will access the web shells, enter passwords, make an evidentiary copy of the web shell, and then issue a command through each of the approximately (redacted) web shells to the servers to delete the web shells themselves."

Interestingly, in its press release, the Department of Justice said that the operation “removed one early hacking group’s remaining web shells”. The original attack group that Microsoft identified as having exploited the Exchange flaws before a fix was released in March was Hafnium, an APT team attributed to China. But it soon emerged that at least one other group was exploiting the same vulnerabilities early in their lifecycle, and within days of the emergency patch release by Microsoft several other groups had begun targeting the bugs as well. The attacks quickly spread from a small group of high-value targets and began hitting targets of opportunity, meaning any on-premise Exchange server that hadn’t been patched.

The FBI applied for the warrant on April 9 and asked for a 14-day window in which to conduct the operation, an effort to conceal it from the attackers who had installed the webshells in the first place. In the application, the FBI said that it had tested the method, which essentially involved connecting to each webshell, entering the unique key for it, making a copy of it for evidence, and then deleting it from the server.

“When conducted through an internal FBI testing process, this command successfully deleted the web shell from an FBI server and did not impact other files or services of the computer. An FBI technical evaluation of the code and a related briefing to an outside expert was also conducted to ensure the code would not adversely affect the victim computers and Microsoft Exchange Server software running on such computers,” the application says.

The technical means by which the FBI did this are not complicated, but the legal ramifications may be. This appears to be the first time that the FBI has publicly acknowledged performing this kind of widespread action against privately owned servers. One relatively close analog is the takedown of the Coreflood botnet in 2011, but that operation involved ISPs notifying their customers about the removal of malicious code from their machines.

Although the number of servers that the FBI targeted in this operation is redacted in the warrant application, it’s almost certainly nowhere near the total number of compromised Exchange servers. The more likely scenario is that the FBI went after a subset of compromised servers that had the publicly known Hafnium webshells on them. But given that there are several separate groups exploiting the Exchange flaws and installing their own webshells, the FBI’s operation looks to have only gone after one group’s artifacts.

“it's noteworthy that this action was performed on behalf of the Justice Department and the FBI. I think it's very important to keep US Intelligence agencies like NSA focused on their foreign targets and away from infringing on civil liberties. The use of courts to authorize the FBI's disruption effort is a solid initial framework to ensure these actions stay focused on increasing security and are restricted from indirect intelligence targeting,” said Kyle Hanslovan, CEO of Huntress Labs.