The Justice Department has revealed that the FBI executed a court-authorized cyber operation to remove malicious web shell software from hundreds of privately owned compromised Microsoft Exchange servers in the United States. The fix was executed by issuing a command through that backdoor to the server, disabling the malware.
This is the first time that something like this is known to have been done, without the prior knowledge of the servers’ owners and operators; the FBI has subsequently attempted to notify them. “Because the web shells the FBI removed each had a unique file path and name, they may have been more challenging for individual server owners to detect and eliminate than other web shells,” DOJ explained.
Industry reaction has raised numerous concerns, including the precedent this sets for government intervention, whether the government has the legal authority to take such action, and the implications of the fact that the attackers had successfully covered their tracks well enough to evade detection in so many systems.
Sources:
- Security Week: Industry Reactions to FBI Cleaning Up Hacked Exchange Servers: Feedback Friday
- Gov Info Security: Does FBI Exchange Remediation Action Set a Precedent?