Government

With court order, FBI removes hundreds of Exchange Server web shells from US organizations

It's one of the most aggressive actions taken yet by U.S. government or corporate officials to combat the Exchange Server vulnerabilities.

By Sean Lyngaas

April 13, 2021

(FBI)

The FBI has used a court order to remove malicious code from hundreds of U.S. computers running the Microsoft Exchange Server email program, Justice Department officials announced Tuesday.

The court-ordered removal of the web shells, or scripts used by hackers for persistent access, is one of the most aggressive actions taken yet by U.S. government officials or corporate executives to combat the Exchange Server vulnerabilities since Microsoft announced on March 2 that suspected Chinese spies were exploiting them. The alleged Chinese hackers used the flaws to steal emails from targeted organizations, according to private-sector analysts, but an array of scammers have since exploited the bugs for their own purposes.

In the days after Microsoft revealed the vulnerabilities, incident responders estimated that tens of thousands of U.S. organizations running Exchange Server could be exposed to potential hacking. Many of those organizations have removed the web shells, but Justice Department officials said they asked for the court order because other organizations “appeared unable” to clean up their systems.

The U.S. District Court for the Southern District of Texas gave the FBI permission to issue a command through the web shells to a server that deleted the web shells, the Justice Department said in a press release. It was unclear from which U.S. organizations the web shells were removed. The FBI said it was attempting to notify all organizations affected.

“Initially the targets [of the Exchange Server hacking] were high-value intelligence targets in the United States,” the FBI said in an affidavit supporting its application for a search warrant. “The scope of targets later expanded.”

The work to remediate the compromises nevertheless continues. A senior Department of Homeland Security official has said that thousands of computer servers with updated Exchange Server software had already been breached.

In a separate development, the National Security Agency said Tuesday that it had alerted Microsoft to a new set of vulnerabilities in Exchange Server that hackers could exploit to remotely access email inboxes. Microsoft said it was not aware of any customers that had been hacked using the new vulnerabilities.

You can read the court documents online.

With court order, FBI removes hundreds of Exchange Server web shells from US organizations

More Like This

FBI director warns of China’s preparations for disruptive infrastructure attacks

House passes bill to limit personal data purchases by law enforcement, intelligence agencies

After a sleepy primary season, Russia enters 2024 U.S. election fray

Top Stories

Treasury official: Small financial institutions have ‘growth to do’ in using AI against threats

‘Large volume’ of data stolen from UN agency after ransomware attack

More Scoops

DOJ, FBI disrupt Russian intelligence botnet

DOJ establishes cybercrime enforcement unit as U.S. warnings mount over Chinese hacking

To combat cybercrime, US law enforcement increasingly prioritizes disruption

FBI cybercrime seizure takes down one-time Ukraine IT Army collaborator

FBI takes down dark web marketplace for U.S. citizen personal data

DOJ’s Sandworm operation raises questions about how far feds can go to disarm botnets

The long, bumpy road to cyber incident reporting legislation — and the one still ahead

Latest Podcasts

How Troy Hunt knows if you’ve been hacked and Washington tries to understand AI

Why pig butchering is the worst kind of online scam

How the FBI fights ransomware

Rumman Chowdhury on AI red-teaming; a Sisense supply chain attack

Government

Technology

Threats

Geopolitics