FBI Remotely Removed Web Shells from Infected Exchange Servers
Since Friday, April 9, the FBI has been removing web shells from compromised on-premises Exchange servers in at least eight US states. A federal court in Texas granted the warrant that allowed the FBI to conduct the operation without the knowledge of the systems owners and operators, although they are attempting to contact them. The operation “did not patch any Microsoft Exchange Server zero-day vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks by exploiting the web shells.”
There are a couple of important dimensions to this one: First, the fire department going into a burning building without permission to put out a fire that may spread to adjacent buildings is a good thing overall, but may end up in extensive water damage to the burning building. The same is true for what the FBI is doing - from a business perspective, much better to *not* be a candidate for unplanned outside fixes of your compromised systems. Second: be prepared for phishing campaigns that appear to be coming from @FBI.gov – warn your supply chain as well. If you have been unable to move to restrictive DMARC anti-spoofing policies, this would be a good item to use to get high level support to do so.
This both cool and unsettling. It is better to secure your own systems or hire help than to have assistance granted by court order. The FBI will be sending email to notify system owners of actions taken. Even so, be on the lookout for fake FBI.gov phishing emails. Remember these actions didn’t apply patches or forensically analyze your systems to determine what else may be impacted.
Read more in
Gov Infosecurity: FBI Removing Web Shells From Infected Exchange Servers