In what may be a first-of-its-kind operation, the FBI recently accessed private servers across the United States, ostensibly to delete malware that had previously been installed by foreign hackers.
The FBI targeted this unique digital clean-up at servers running the vulnerability-ridden email product Microsoft Exchange. The U.S. Justice Department said Tuesday that the purpose of the bureau’s operation was to digitally erase traces of web shells that, had they remained, “could have been used to maintain and escalate persistent, unauthorised access to U.S. networks.”
The security flaws plaguing Microsoft’s product are well known and we’ve covered them quite extensively. Since the company’s disclosures about Exchange’s vulnerabilities in early March, hackers have swarmed exposed servers all over the world to pilfer data and conduct ransomware attacks.
[referenced id=”1677992″ url=”https://gizmodo.com.au/2021/03/microsofts-crazy-huge-hack-explained/” thumb=”https://gizmodo.com.au/wp-content/uploads/2021/03/09/wrsxfsbugsqbunpugkth-300×169.jpg” title=”Microsoft’s ‘Crazy Huge Hack,’ Explained” excerpt=”Last week, Microsoft announced that the on-premises version of its widely used email and calendaring product Exchange had several previously undisclosed security flaws. These flaws, the company said, were being used by foreign threat actors to hack into the networks of U.S. businesses and governments, primarily to steal large troves…”]
Out of all the groups involved, the China-based group called “HAFNIUM” seems to have concerned American authorities the most. The group, which has used web shells as backdoors into U.S. networks, is said to have aggressively targeted Exchange for email theft and data exfiltration.
A federal affidavit unsealed Tuesday strongly implies that the goal of the FBI’s operation was to remove malware specifically deployed by HAFNIUM. While the Justice Department does not explicitly name HAFNIUM (referring only to “one early hacking group” as the target of the investigation), it is the only threat actor explicitly mentioned in the FBI affidavit.
[referenced id=”1679194″ url=”https://gizmodo.com.au/2021/03/hackers-are-swarming-microsoft-exchange/” thumb=”https://gizmodo.com.au/wp-content/uploads/2021/03/12/byxgpzve2wzceve1ypqb-300×169.jpg” title=”Hackers Are Swarming Microsoft Exchange” excerpt=”Those Microsoft Exchange security flaws you may have heard about are really getting pummelled. If ever there was a time for cybersecurity reporters to trot out metaphors involving phrases like “blood in the water” and “deranged swarm of piranhas,” it might be right now.”]
A DOJ press release notes:
“Although many infected system owners successfully removed the web shells from thousands of computers, others appeared unable to do so, and hundreds of such web shells persisted unmitigated.”
The operation seems to have been strictly targeted at this one particular campaign, as the feds did not “search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks by exploiting the web shells.
This may be the first time that the FBI has conducted an operation like this, TechCrunch reports. For years, the bureau has sought greater powers and authority when it comes to conducting digital investigations inside the U.S., though critics and civil liberties defenders have consistently fought against such encroachments into private servers.