DOJ announces 'successful' FBI hacking attempt to remove Microsoft Exchange cyber threat

The operation appears to have often taken place without computer owners' knowledge.
By Kat Jercich
12:22 PM

(Photo by cottonbro from Pexels)

The U.S. Department of Justice announced this week that the Federal Bureau of Investigations had successfully removed malicious scripts from hundreds of vulnerable computers in the United States – without necessarily informing the computer owners they were doing so.   

"Combating cyber threats requires partnerships with private sector and government colleagues," said Acting U.S. Attorney Jennifer B. Lowery of the Southern District of Texas in a press release.   

"This court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable computers shows our commitment to use any viable resource to fight cyber criminals," Lowery added.  

WHY IT MATTERS  

As outlined in recently unsealed court documents, Microsoft released a report in early March describing the attempts of a hacking group called HAFNIUM to use hitherto unknown vulnerabilities in Exchange Servers. HAFNIUM is believed to be state-sponsored and operating out of China.

The hack was enormous, impacting an "astronomical" number of servers.  

The Microsoft report showed that HAFNIUM actors would compromise the servers before installing web shells – scripts enabling remote administration – to facilitate long-term access to victim environments.     

"According to open-source reporting, these actors began using the zero-day exploits in January 2021. Initially the targets were high-value intelligence targets in the United States. The scope of targets later expanded. One researcher described them as a 'mass exploitation' and 'indiscriminate,' seemingly targeting every Microsoft Exchange Server that could be identified," read the unsealed court documents.  

Next, unaffiliated hackers began using the exploits to target entities that had not patched the vulnerabilities. 

"According to open-source reporting, there may be at least 60,000 Microsoft customers worldwide whose Microsoft Exchange Servers were compromised through the use of the zero-day exploits described by Microsoft," read the documents.  

Although the FBI and the Cybersecurity and Information Security Agency conducted a public-awareness campaign aimed at server owners, federal agents believed some victims were unlikely to remove the remaining web shells due to lack of technical skills or difficulties locating them.  

The FBI requested a warrant to use remote access techniques to search certain Microsoft Exchange servers and, through interactions with the web shells, uninstall them.  

The operation appears to have been a success, at least according to the agency: "Today’s operation removed one early hacking group’s remaining web shells, which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks," read the press release.  

The release notes that the agency is "attempting to provide notice" to all owners and operators of the computers from which it removed the hacking group's web shells – suggesting that the operation took place without those individuals' knowledge.

"For those victims with publicly available contact information, the FBI will send an email message from an official FBI e-mail account (@FBI.gov) notifying the victim of the search," read the statement.  

The agency also says the operation did not patch any vulnerabilities or search food any additional malware that may have been installed via the web shells.  

"Today’s court-authorized removal of the malicious web shells demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions," said Assistant Attorney General John C. Demers for the Justice Department’s National Security Division in the statement.  

"Combined with the private sector’s and other government agencies’ efforts to date, including the release of detection tools and patches, we are together showing the strength that public-private partnership brings to our country’s cybersecurity," Demers continued.  

THE LARGER TREND  

A BeyondTrust report released this past month found a record-high number of Microsoft vulnerabilities in 2020, a 48% increase from the previous year.

BeyondTrust experts identified a number of ways for organizations to protect themselves. Endpoint security, in particular, arose as a particular point of concern.  

"Healthcare CISOs should maintain close control and awareness of their endpoints and users, including the access they require to complete their jobs," said Morey Haber, chief technology officer and chief information security officer at BeyondTrust, in an interview with Healthcare IT News' Bill Siwicki.  

ON THE RECORD  

"Our successful action should serve as a reminder to malicious cyber actors that we will impose risk and consequences for cyber intrusions that threaten the national security and public safety of the American people and our international partners," said Acting Assistant Director Tonya Ugoretz of the FBI’s Cyber Division.

"The FBI will continue to use all tools available to us as the lead domestic law enforcement and intelligence agency to hold malicious cyber actors accountable for their actions," Ugoretz continued.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.