The FBI has been removing web shells from compromised Microsoft Exchange serves following court authorisation. However, owners of the Microsoft Exchange servers were never informed or able to approve of the FBI’s actions.
In February, the hacking group HAFIUM exploited several vulnerabilities in Microsoft Exchange’s servers. The group installed web shells in compromised Exchange servers which allowed them to remotely access the servers. Following the attack, Microsoft released a security update that patched the exploited vulnerabilities.
According to a press release published by the Department of Justice (DOJ) the FBI used a search warrant to access compromised servers and remove the web shells from them without the owners’ consent. The FBI has been accessing the servers of those they believed do not have the technical ability to remove them themselves, as well as those who are of significant risk from the shells.
Owners were not informed of the operation as the FBI feared it could compromise it. According to the press release from the DOJ, “the FBI is attempting to provide notice of the court-authorized operation to all owners or operators of the computers from which it removed the hacking group’s web shells. For those victims with publicly available contact information, the FBI will send an e-mail message from an official FBI e-mail account (@FBI.gov) notifying the victim of the search. For those victims whose contact information is not publicly available, the FBI will send an e-mail message from the same FBI e-mail account to providers (such as a victim’s ISP) who are believed to have that contact information and ask them to provide notice to the victim.”