A Precedent to Remember: FBI Operation Removed Web Shells from Exchange Servers (Part 2)

This post is Part 2 of a two-part series examining the April 2021 FBI operation to remove malicious web shells from hundreds of systems per a court order.

Figure 0. Notes on notes
  1. What cyber threat intelligence (CTI) can we pull from this operation?
  2. What do we do next?

Did they access my system(s)?

This question presents the most challenging aspect of this operation, and is the one that should be examined by current and future information security professionals going. Let’s first address the concern of access and then examine how the FBI is handling communications.

(Un)authorized Remote Access

If your system(s) were in the list of systems presented in Attachment A (largely redacted, so I’m not going to screenshot here), yes, your system was accessed as part of this operation. Or, perhaps it’s better to say access to your system was attempted. You’ll need to confirm via logs or if the FBI ever publishes a list of targets vs. completion ratios, we will know in that release.

Figure 1. Tweet from Rick Holland
Figure 2. Tweet from nluedtke
  1. When we deploy an Internet-facing system within the U.S., such as a web or email server, are we automatically allowing the U.S. government to include it as part of their eradication efforts?
  2. Given the definition of a “Protected Computer” (as we examined in Part 1), what specifically defines a computer associated with “interstate and/or foreign commerce?”
  3. How many of us currently have Protected Computer(s) in our fleet, and do we know about them?

Without advanced notice, how is a SOC or incident response team supposed to treat web shell access and file manipulation?

There’s a Catch-22 in this final question — if the security team was not aware or could not remove the web shell(s) themselves, would they even be able to detect access, legitimate or not?

Access Communications

If your system(s) was in the list of impacted systems targeted by this operation, the FBI lists the steps it will take to inform you of this action.

Figure 3. Screenshot from Affidavit for Case №4:21mj755 showing how they FBI will contact system owners
Figure 4. Mind map of how the FBI notified or will notify impacted system owners
Figure 5. Screenshot from Affidavit for Case №4:21mj755 showing how they FBI will contact system owners

What cyber threat intelligence (CTI) can we pull from this operation?

Unfortunately, despite a wide-reaching operation like this, there is little unredacted CTI data that isn’t already widely known. I’ve summarized what I could amass from this document below:

  • The patterns and file names corresponding to the web shells were also widely known, and overall were not “new” pieces of malware. Not new.
  • The affidavit did not redact Microsoft’s claim that HAFNIUM is China-based. Not new, but an interesting line to leave in. I also really want to know what was redacted!
Figure 6. Screenshot from Affidavit for Case №4:21mj755 including HAFNIUM reference but redacting more details.
Figure 7. Screenshot from Affidavit for Case №4:21mj755 Appendix A, redacting “target” systems

What do we do next?

Regardless if your system was impacted by this operation or not, my advice to you remains the same:

  • If you were not impacted by this operation, I don’t think that means you’re in the clear. I’d still recommend following the advice of numerous blog posts out there (resources below) on what to do next.
  • Remain vigilant; operations like this pose a unique opportunity for attackers to craft phishes or, even worse, masquerade as the FBI accessing your web shell.
  • On April 13, 2021, Microsoft released a new round of Exchange Server vulnerabilities. Details are here. Go patch again!

Additional Resources

Microsoft Blog on HAFNIUM: HAFNIUM targeting Exchange Servers with 0-day exploits — Microsoft Security

Be selective with your battles.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store