FBI removes malicious web shells from hundreds of compromised Microsoft Exchange servers

FBI removes malicious web shells from hundreds of compromised Microsoft Exchange servers

The U.S. Department of Justice (DOJ) authorized the Federal Bureau of Investigation (FBI) to remove malicious web shells from hundreds of compromised and vulnerable Microsoft Exchange servers.

The Justice Department update was issued on April 13 just a day after the Cybersecurity and Infrastructure Security Agency (CISA) had published new reports on DearCry ransomware and China Chopper Web Shell malware linked to recent Exchange Server exploits. Attackers have been using this malware to further compromise on-premise Microsoft Exchange servers and launch other attacks.

That report also followed a CISA and FBI urgent joint cybersecurity alert last month on the Microsoft Exchange vulnerability exploits. Malicious cyber actors used zero-day exploits (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) to compromise thousands of Exchange servers around the globe.

An excerpt from the DOJ report:

“Through January and February 2021, certain hacking groups exploited zero-day vulnerabilities in Microsoft Exchange Server software to access e-mail accounts and place web shells (which are pieces of code or scripts that enable remote administration) for continued access. Other hacking groups followed suit starting in early March after the vulnerability and patch were publicized. Although many infected system owners successfully removed the web shells from thousands of computers, others appeared unable to do so, and hundreds of such web shells persisted unmitigated. Today’s operation removed one early hacking group’s remaining web shells, which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks. The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path). This is unrelated to Microsoft’s 13 April announcement.”

Department of Justice

Moreover, the report noted that the web shells removed by the FBI each had a unique file path and name. Therefore, it may have been challenging for server owners to detect and remove the web shells.

Because the web shells the FBI removed today each had a unique file path and name, they may have been more challenging for individual server owners to detect and eliminate than other web shells.

Finally, since the FBI’s action did not address the vulnerabilities, organizations are still strongly encouraged to patch their Microsoft Exchange Servers as soon as possible if they haven’t already.