According to an unprecedented move, the FBI is trying to protect hundreds of computers infected by the Hafnium hood. by they cut themselves, using the original hackers’ own tools (via TechCrunch).
The hack, which affected tens of thousands of Microsoft Exchange Server customers around the world and caused a “whole government ‘response” from the White House, apparently left a number of backdoors that could land any number of hackers back into those systems. Now the FBI has taken advantage of this by using the same web shells / backdoors to remotely remove themselves, an operation the agency calls a success.
“The FBI carried out the removal by issuing a command by the web shell to the server, which was designed to allow the server to remove only the web shell (identified by its unique file path),” the US Department of Justice explained.
The wild part of this is that owners of these Microsoft Exchange Servers are probably not yet aware of the FBI’s involvement; the justice department says it is only ‘trying to notify owners’ that they are trying to help. According to the agency, he does it all with the full approval of a court in Texas. You can read the warrant and application for unsealed searches and seizure here.
It will be interesting to see if this is a precedent for future responses to major hacks like Hafnium. Although I personally did not decide, it’s easy to argue that the FBI is providing a service to the world by removing a threat like this – although Microsoft may have been painfully slow with its initial response, Microsoft Exchange Server customers also now more than a month to load their own servers after several critical alerts. I wonder how many customers are going to be angry, and how grateful that the FBI, not some hacker, took advantage of the open door. We know that critical but local government infrastructure often has serious safety practices, which recently resulted in two local drinking water supplies being tampered with.
The FBI says thousands of systems were patched by their owners before embarking on the remote Hafnium backdoor removal, and that it only removed an early hood group’s remaining web shells that could be used for persistent, unauthorized access to U.S. networks. ”
“The removal of the malicious web shell approved by the court today shows the commitment of the department to disrupt burglary activities by using all our legal equipment, not just prosecutions,” the assistant attorney general said in a statement. John C. Demers, with the Department of National Security of the Department of Justice. .
By the way, today’s Patch Tuesday and Microsoft’s April 2021 security update contains new mitigations for Exchange Server vulnerabilities, according to CISA. Check if you have a local Exchange Server or if anyone knows what it is.