Why is the FBI cleaning Exchange servers?

Earlier this week, the Department of Justice announced that the FBI was granted a search and seizure warrant by a Texas court that allows the agency to copy and remove web shells from hundreds of on-premise Microsoft Exchange servers owned by private organizations. A web shell is a type of program that hackers install on hacked web servers to grant them backdoor access and remote command execution capabilities on those servers through a web-based interface.

In this case, the warrant targeted web shells installed by a cyberespionage group dubbed Hafnium that is believed to have ties to the Chinese government. In early March, Microsoft reported that Hafnium has been exploiting previously unpatched vulnerabilities in Microsoft Exchange to compromise servers. At the same time, the company released patches for those vulnerabilities, as well as indicators of compromise and other detection tools, but this didn't prevent other groups of attackers from exploiting the vulnerabilities after they became public.

In its warrant application, dated April 13, the FBI argues that despite the public awareness campaigns by Microsoft, CISA and the FBI itself, many servers remained infected with the web shell deployed by Hafnium. While the exact number has been redacted from the unsealed warrant, the DOJ said in a press release that it was "hundreds."

What does the warrant allow?

The FBI asked for, and received court approval, to access the malicious web shells through the passwords set by the original attackers and then use that access against the malware itself by executing a command that will delete the web shell, which is essentially an .aspx script deployed on the server. The FBI was also allowed to make a copy of the web shells first because they could constitute evidence.

The warrant states that it "does not authorize the seizure of any tangible property" or the copying or alteration of any content from the servers aside from the web shell themselves, which are identified in the warrant by their unique file paths. This means the FBI was not granted permission to patch the vulnerabilities to protect the servers from future exploitation or to remove any additional malware or tools that hackers might have already deployed.

The FBI states in its warrant request that the Federal Rule of Criminal Procedure requires the officer to make "reasonable efforts to serve a copy of the warrant and receipt on the person whose property is searched" when dealing with remote access to electronic storage and the seizure of electronically stored information. However, such notification can be accomplished by any means, including electronic ones, that have a "reasonably calculated" chance of reaching that person. To comply with this requirement, the FBI sent an email message from an official email account, including a copy of the warrant, to the email addresses associated with the domain names of the infected servers. If the domains used a privacy service that hid the associated email address, the FBI contacted the domain registrars or the ISPs and asked them to notify their customers.

Is the FBI warrant approach new?

This is not the first time when the FBI or law enforcement authorities from other countries have sent commands to malware running on infected computers. In 2011, the FBI obtained a temporary restraining order that allowed it to seize the command-and-control servers and domain names used by Coreflood botnet and modify them to respond with a command that temporarily stopped the malware from running on computers. While the command disabled the malware, it did not completely remove it from infected systems.

In 2019, the French National Gendarmerie, working with antivirus vendor Avast, disabled the command-and-control server used by the Retadup worm that deployed cryptocurrency mining malware and replaced it with a "disinfection server." The disinfection server responded to requests from infected systems with a response that caused the malware to self-destruct.

The result of these past operations is similar to that of the current FBI action -- malware was remotely disabled or removed from infected computer systems. However, from a technical perspective, the approach was different. Placing a specific command on a seized server knowing that malware programs are programmed to contact that server and execute that command is a somewhat passive approach. In this case the web shells did not have a central server they regularly queried for commands, so the FBI had to separately connect to hundreds of compromised systems through a backdoor left by attackers and issue a command, which is arguably a more active approach. Additionally, they also made a copy of the malicious programs.

"I think it's an interesting change," Chris Pierson,CEO of BlackCloak, a provider of concierge cybersecurity and privacy solutions for high-net-worth individuals and business executives, tells CSO. "It is the nuance of it that makes it unprecedented. The copying of the web shell -- the copying of evidence that is technically in the company's possession -- without their knowledge and then the removal of that web shell from within the company without their knowledge until afterwards, is a different escalation that makes it unprecedented."

Pierson, who also served as a special government employee on the Department of Homeland Security Privacy and Cybersecurity Committees, describes the FBI's action as "active defense." According to him, traditional defense would be notifying victims that their servers are infected, directing them to the patches and providing them with guidance and remediation tools, but this is more along the lines of: "We believe that you're ill-equipped to do it yourself; it is some type of existential threat in terms of critical infrastructure, and therefore, we are going to at least do some parts of this."

This is one step forward from what has been done in the past with seizing command-and-control servers and sinkholing botnet traffic and it's interesting from many perspectives: transparency, active cyber defense and privacy, Pierson says. "I think it's unprecedented for the sheer fact that the FBI decided to take more of an active role in defense in corporate America."

Should businesses worry about active defense?

It seems that the FBI and the DOJ tried to be transparent and were careful to limit the scope of their actions in this case. The warrant application mentions that the removal command was tested on an FBI server and the agency consulted with an outside expert during their technical evaluation of the code to ensure it would not adversely affect the compromised systems or the Microsoft Exchange software running on them.

That doesn't mean that all risks can be accounted for and eliminated during actions such as these. For example, even if no disruption of the legitimate server functionality is caused, the removal of malware files could potentially interfere with ongoing or future forensics investigations the affected organizations might undertake. Maybe evidence of additional actions taken by the attackers through the backdoor could also be accidentally deleted.

"It is certainly something that corporations need to pay attention to and it's something where transparency should be demanded," Pierson says. "There could be many different things [that could go wrong]. It could be just the fact that one of the servers was a super secret honeypot that's run by a security vendor and as a result it neutered their research into malware.”

Pierson believe that federal agencies need to weigh the unintended consequences and be transparent and open about them. “What is too far, what is just right and what role do we want our federal agencies or federal partners playing in terms of the safety of the internet and that ecosystem?” he says. “Those are the questions that definitely need to be discussed more."d