FBI Reached into Exchange Servers To Delete Hafnium Webshells
The U.S. Federal Bureau of Investigation (FBI) has deleted Webshells on Hafnium-compromised Exchange Server installations across the country, and is now sending notices to victim organizations, according to a Tuesday announcement.
The Webshells were associated with Exchange Server zero-day exploits executed by purported Chinese nation-state attackers that Microsoft dubbed "Hafnium." Microsoft issued patches for these Exchange Server vulnerabilities back on March 2, but the patches didn't protect already compromised systems. Moreover, the compromises were thought to have started in January.
After releasing its March patches, Microsoft indicated that it had updated its Windows Defender anti-malware solution to detect Hafnium attack methods. It also offered guidance and tools on detecting the Webshells used by the attackers.
Hundreds of Webshells
The FBI argued in a federal court filing requesting permission to delete the Webshells that a certain number of Webshells were still detected after the FBI ran a March 31 scan. These Webshells had unique paths, making them more difficult for organizations to detect.
The FBI used the Webshells themselves to delete the Webshells by sending a command through them. It tested this approach before carrying out its widespread deletion actions and found that no other files were affected. The FBI also copied the Webshells beforehand, presumably to use as evidence.
The FBI's court filing with the U.S. District Court for the Southern District of Texas, dated April 13, 2021, was released, but it's still in a redacted form. It can be found here.
The actual number of Webshells detected by the FBI is blacked out in the document. The court filing was sealed on April 9, supposedly to not alert attackers. The court filing had requested a 30-day wait period before its unsealing, but U.S. attorneys suggested on April 13 that it be partially unsealed.
One of the reasons offered by the U.S. attorneys for the partial unsealing is that "such unsealing will further enable the government's reasonable efforts to provide notice of the search to some victims."
The FBI court filing didn't specify exactly where it found the Webshells, but it described detecting them in the "Southern District of Texas, District of Massachusetts, Northern District of Illinois, Southern District of Ohio, District of Idaho, Western District of Louisiana, Northern District of Iowa and Northern District of Georgia."
The FBI is also advising that other attack methods could have been dropped on systems, besides Webshells, to establish future avenues of attack, but it's not clear if those attack methods were addressed, too, by its cleanup operations.
Webshells and Warrants
Exchange Server gets installed by Microsoft's customers on their own servers, so Microsoft has less control over monitoring them than it does with its Exchange Online service, which wasn't affected by the Hafnium attacks.
Microsoft's anti-malware software and tools, when run by organizations, were subsequently bolstered to find Hafnium attack activity and provide mediations, but possibly Microsoft stopped short of doing what the FBI did, which is to reach into an organization's Exchange Server and delete the Webshells that were found, without asking the organizations for permission beforehand.
The FBI seems to have carried out a first-of-its-kind action, done without notice via a sealed and non-publicly accessible court authorization. However, it's likely not the last such action we'll see, according to a statement by Jennifer B. Lowery, acting U.S. Attorney for the Southern District of Texas:
This court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable computers shows our commitment to use any viable resource to fight cyber criminals. We will continue to do so in coordination with our partners and with the court to combat the threat until it is alleviated, and we can further protect our citizens from these malicious cyber breaches.
The FBI is currently sending notices to organizations affected by its Webshell copying and delete actions via its FBI.gov mail account. They are sending the notices by e-mail if they have the organization's e-mail address. Otherwise, they will contact the organization's privacy service or hosting provider to deliver the message.
Webshells now seem to be a reason for the FBI to access servers in the United States. That notion was suggested by Matt Suiche, a security researcher and Microsoft Most Valuable Professional, in this Twitter post.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.