FBI Obtains Court Order To Remove Backdoors From Hacked Exchange Servers

A Press release Monday revealed the existence of an FBI operation that attempted to end attacks by the “Hafnium” group and others on Microsoft Exchange servers earlier this year. While patches and mitigations solve the problem for many, there were still a number of servers that remained exposed where attackers were installing web interfaces to continue their remote access. The federal government says these shells might have been difficult for some administrators to identify and remove on their own.

United States District Court for the Southern District of Texas

The FBI targeted Hafnium shells in particular (like described in court documents), as he identified them on the server is the United States, accessing them remotely using the attacker’s own passwords and running a command to have them deleted themselves, thwarting the group’s plans. The search warrant requested by the FBI allowed it to carry out this operation and delay notification to the administrators of the server. He was given permission on April 9 to execute the transaction for up to 14 days, as well as permission to delay notifications for up to 30 days.

According to the Department of Justice, “This operation successfully copied and removed these web shells. However, it did not fix Microsoft Exchange Server zero-day vulnerabilities, or find or remove malware or tools. additional hacks that hacking groups could have placed on victims’ networks by exploiting web shells. “

Now the FBI says it is sending emails to server owners and “is attempting to provide notice of the court-authorized transaction to any owners or operators of the computers whose hacking group’s web shells it has removed. ” While we are not aware of a precedent where the FBI acted on private servers after you were attacked, Wired reporter Kim Zetter highlights how he handled the Coreflood botnet in 2011 by sending a command to an infected machine to shut it down, also with a court order. The Department of Justice and Microsoft have not commented on the operation publicly beyond this statement.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *