The court authorizes the FBI to remove web shells from compromised Microsoft Exchange servers
On April 13, 2021, the US Department of Justice (“DOJ”) announced that the Federal Bureau of Investigation (“FBI”) had completed a court-approved removal of malicious web shells from hundreds of compromised computers in the US
Earlier this year, hacking groups exploited vulnerabilities in Microsoft Exchange Server software to access email accounts and install web shells on victims’ computers to keep unauthorized access to US networks. While many affected system owners were able to successfully remove the web shells from thousands of computers, hundreds of web shells remained. The FBI’s operation removed the remaining web shells by sending a command to the server through the web shells that resulted in the server deleting only the web shells. Fighting cyber threats requires partnerships with the private sector and government colleagues, according to acting US attorney, Jennifer B. Lowery, of southern Texas. This court-approved operation to copy and remove malicious web shells from hundreds of vulnerable computers shows our commitment to using all viable resources to fight cyber criminals. “
According to the DOJ, the FBI is trying to notify any owner or operator of the computers from which the FBI removed the hacking group’s web shells about the court-approved operation. For owners and operators with publicly available contact information, the FBI will send an email message from an official FBI email account (@ FBI.gov) notifying the owner or operator of the search. For those owners and operators whose contact information is not publicly available, the FBI sends an email message from the same FBI email account to vendors (e.g., an owner or the operator’s ISP) that are accepted that they have the contact information and ask them to notify the owner or operator.
Further information can be found in the DOJ press release.