The US Department of Justice reported that a court in early April granted the FBI special powers and the bureau removed web shells previously installed by hackers on vulnerable Exchange servers in the United States. The FBI also had the power to remove other malware (without notification of the server owners).
The FBI did not say how many web shells were removed, but “the operation was successful”
Let me remind you that the root of the problem lies in the fact that in early March 2021, Microsoft engineers released unscheduled patches for four vulnerabilities, which the researchers gave the general name ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065).
These vulnerabilities can be chained together and exploited to allow an attacker to authenticate on the Exchange server, gain administrator rights, install malware, and steal data. As a result, attacks on vulnerable servers were carried out by more than 10 hacker groups, deploying web shells, miners and ransomware on the servers.
According to the US authorities and information security experts, Chinese “government” hackers actively used ProxyLogon bugs back in January and February 2021, and after the vulnerabilities were made public, other criminals also joined them.
As reported now, some of these web shells were not properly secured and reused the same password. The FBI officers took advantage of this circumstance to remove the malware.
It is emphasized that during the operation, the FBI did not patch vulnerable Exchange servers and did not try to detect and remove other malicious programs that could have been installed on the system using web shells.
The FBI is currently notifying victims whose Exchange servers were compromised and discovered during the operation.