With court order, FBI removes hundreds of Exchange Server web shells from US organizations
The FBI has used a court order to remove malicious code from hundreds of U.S. computers running the Microsoft Exchange Server email program, Justice Department officials announced Tuesday.
The court-ordered removal of the web shells, or scripts used by hackers for persistent access, is one of the most aggressive actions taken yet by U.S. government officials or corporate executives to combat the Exchange Server vulnerabilities since Microsoft announced on March 2 that suspected Chinese spies were exploiting them. The alleged Chinese hackers used the flaws to steal emails from targeted organizations, according to private-sector analysts, but an array of scammers have since exploited the bugs for their own purposes.
In the days after Microsoft revealed the vulnerabilities, incident responders estimated that tens of thousands of U.S. organizations running Exchange Server could be exposed to potential hacking. Many of those organizations have removed the web shells, but Justice Department officials said they asked for the court order because other organizations “appeared unable” to clean up their systems.
The U.S. District Court for the Southern District of Texas gave the FBI permission to issue a command through the web shells to a server that deleted the web shells, the Justice Department said in a press release. It was unclear from which U.S. organizations the web shells were removed. The FBI said it was attempting to notify all organizations affected.
“Initially the targets [of the Exchange Server hacking] were high-value intelligence targets in the United States,” the FBI said in an affidavit supporting its application for a search warrant. “The scope of targets later expanded.”
The work to remediate the compromises nevertheless continues. A senior Department of Homeland Security official has said that thousands of computer servers with updated Exchange Server software had already been breached.
In a separate development, the National Security Agency said Tuesday that it had alerted Microsoft to a new set of vulnerabilities in Exchange Server that hackers could exploit to remotely access email inboxes. Microsoft said it was not aware of any customers that had been hacked using the new vulnerabilities.
You can read the court documents online.