A Groundbreaking Initiative: FBI's Removal of Web Shells from Exchange Servers (Part 1)
Written on
Chapter 1: Introduction to the Operation
On April 13, 2021, a pivotal event in U.S. cybersecurity came to light. The U.S. Department of Justice revealed a "Court-Authorized Effort to Disrupt Exploitation of Microsoft Exchange Server Vulnerabilities," which described an FBI initiative targeting malicious web shells on publicly accessible email systems. Officially, the operation began on April 9, 2021, as indicated in the accompanying documents. The DOJ's announcement suggests that the operation was both comprehensive and successful.
For further details, you can access the DOJ's announcement here, along with a full version of the unsealed yet partially redacted court documents available here.
In essence, this operation empowered the FBI to:
- Connect to "hundreds" of compromised computers across the U.S.,
- Duplicate known web shells, and
- Erase them from the affected systems.
This event may establish a noteworthy precedent for government responses to cyber vulnerabilities. Many perspectives on this issue have emerged, prompting me to share my insights based on the available documents. Key questions to explore include:
- What motivates the U.S. government to intervene?
- How does the FBI execute this operation?
- What specific actions is the FBI undertaking?
- Were my systems accessed?
- What cyber threat intelligence (CTI) can be derived from this operation?
- What should our next steps be?
In this two-part series, I will address three questions in each installment. Should you have additional inquiries or insights, please feel free to comment or reach out on Twitter for further discussion!
Section 1.1: Government Motivation
This initiative was primarily driven by a set of Microsoft Exchange Server vulnerabilities disclosed in March 2021. These vulnerabilities affected various on-premises versions of Exchange Server, significantly broadening the scope of impact. Given Exchange's widespread usage across diverse business sectors, the ramifications extend from major corporations to small "mom-and-pop" enterprises. (I recently discussed the implications for small and medium businesses on a podcast; I will share that link once available.)
In my view, the extensive nature of these vulnerabilities is the main catalyst for the government's intervention. The risks posed are so widespread that a proactive response to eliminate malicious files from certain systems seemed necessary. Moreover, the FBI’s affidavit supporting this operation highlights a well-known truth in the cybersecurity field: incident recovery can be a daunting task.
The FBI indicates that many victims of this attack likely lack the technical expertise to effectively clean up after such breaches. I would argue that a significant number of victims may not even realize they have been compromised, even as of this writing—nearly six weeks after the vulnerabilities were disclosed.
This acknowledgment from the FBI is crucial, as it highlights two key consequences of widespread attacks:
- Due to the notoriety of these vulnerabilities, passwords for malicious web shells are often publicly accessible.
- Attackers only need to ascertain the presence of a shell and can then employ relatively simple password lists to gain access. In many instances, the passwords and filenames are closely tied together.
There is always a portion of affected organizations—often small to medium-sized businesses—that are unaware of their compromised status and lack the necessary technical resources to rectify the situation. In brief, they are compromised and oblivious, while attackers remain informed, now or in the future.
This represents an ongoing cybersecurity challenge: organizations often deploy systems and software (like email servers or websites) with minimal technical understanding, leaving them unpatched for extended periods. Attackers will inevitably exploit these vulnerabilities later.
Section 1.2: The Rationale Behind Targeting Small Businesses
You may wonder why attackers would target a vulnerable system, especially if it belongs to a small business with little relevance to their objectives. The answer lies in geographical considerations and the exploitation of trust.
For instance, consider a foreign attacker trying to infiltrate a U.S.-based entity. Basic perimeter defenses can often flag or block unauthorized connections, particularly from foreign IP addresses. Therefore, attackers frequently seek ways to appear as though they originate from a "trusted" location.
By compromising a low-level system, such as an email or blog server, attackers can use it as a launchpad for operations, masquerading their activities as originating from a U.S.-based IP address.
Chapter 2: The Mechanisms Behind the Operation
The operational mechanics of this initiative are particularly noteworthy and warrant close attention. They are grounded in legal frameworks that guide how the government assessed and approached the situation.
Section 2.1: Establishing Jurisdiction
The authority enabling this search warrant derives from the Federal Rule of Criminal Procedure, specifically Rule 41(b)(6)(B). This rule allows a magistrate judge to authorize remote searches and seizures if violations of U.S. Code 1030(a)(5) occur across five or more districts.
This U.S. Code stipulates that unauthorized access or the transmission of commands to a computer constitutes a violation. If such actions occur in multiple districts, a warrant can be issued for remote access.
The FBI’s affidavit identifies some of the districts affected by these vulnerabilities while noting that the list is not exhaustive.
Section 2.2: Defining a "Protected Computer"
Further down in the U.S. Code, a "protected computer" encompasses systems involved in or influencing interstate or foreign commerce or communication. This broad definition means that many entities would qualify under these parameters, particularly in cases of ransomware attacks on national or international companies.
I am left pondering whether the invocation of such powers under this legal framework may pave the way for future FBI actions aimed at eliminating attacker remnants.
On April 13, 2021, Microsoft announced additional Exchange vulnerabilities. Will we witness similar interventions from the U.S. government again?
Section 2.3: The FBI's Actions
The operational specifics reveal that the FBI is utilizing the authority granted by this warrant to:
- Connect to systems remotely,
- Access known web shells,
- Retrieve copies of these web shells, and
- Eliminate the web shells.
The affidavit clarifies that no physical property will be taken, and the operation is strictly limited to the identified web shells.
To clarify for those concerned: the FBI is not accessing your entire system or extracting all data. The scope of their actions is confined to the web shells in question.
To be continued…
In the next installment, I will delve into the remaining three questions raised earlier, focusing on insights derived from the specific systems the FBI targeted, implications for CTI analysts, and our next steps in response. Stay tuned for updates!