The United States District Court Southern District of Texas, Houston Division has authorized a full FBI operation that is intended to copy and remove the backdoors found in hundreds of Microsoft Exchange Email Servers within the United States. This is happening months after hackers used vulnerabilities, which were undiscovered at the time, to target and attack thousands of networks.
The Justice Department announced the court-authorized effort to disrupt exploitation of Microsoft Exchange Server vulnerabilities on Tuesday, and it described it as successful.
Now, to give you a bit more of a backstory, in March, Microsoft managed to discover a new China state-sponsored hacking group known as Hafnium, which ended up targeting Exchange servers that were being run from company networks. These four vulnerabilities, when chained together, managed to allow hackers to break into a vulnerable Exchange server, and as such, steal the contents it had.
Over time, Microsoft managed to fix these vulnerabilities; however, the patches couldn’t really fix the backdoors from the servers which were already breached. Throughout the following days, other hacking groups started hitting the vulnerable servers with the same flaws in order to deploy ransomware.
You have to know that as the patches ended up being applied to each and every server, the number of infected servers dropped; however, hundreds of Exchange servers remained vulnerable due to the fact that the backdoors were difficult to find and eliminate.
Well this is interesting. A few days ago the FBI got the go-ahead to access some Americans' computers hacked via Exchange and delete the backdoors the hackers left behind. https://t.co/In8Au7nuWz
— Kevin Collier (@kevincollier) April 13, 2021
According to a statement from the Justice Department: “This operation removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks. The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path).”
The FBI actually stated that it is attempting to inform as many owners as possible through email of the servers through which it removed the backdoors.
That being said, the assistant attorney general John C. Demers said that the operation managed to demonstrate the department’s commitment to disrupt hacking activity by using all of the legal tools, not just the prosecutions.
Keep in mind that this operation managed to remove the backdoors and did not patch any vulnerabilities that the hackers exploited to remove any malware left behind after the removal of said backdoors. In a similar case, back in 2016, the Supreme Court moved to allow U.S. judges to issue a search and seizure warrant outside of their district, and critics opposed the move at the time, with fear that the FBI could ask a friendly court to authorize cyber-operations anywhere in the world.
If we take a look at other countries, such as France, they have used similar methods to hijack a botnet and remotely shut it down, which is quite interesting.